User's Manual

ManualsBrandsAMX ManualsSwitchNXA-ENET24

Software Management Guide

Network/Communication

NXA-ENET24

Managed Ethernet Switches

Last Revised: 3/19/2010

Summary of content (304 pages)

PAGE 1
Software Management Guide NXA-ENET24 Managed Ethernet Switches Network/Communication Last Revised: 3/19/2010
PAGE 2
AMX Limited Warranty and Disclaimer This Limited Warranty and Disclaimer extends only to products purchased directly from AMX or an AMX Authorized Partner which include AMX Dealers, Distributors, VIP’s or other AMX authorized entity.
PAGE 3
Table of Contents Table of Contents Introduction ........................................................................................................1 Key Features .......................................................................................................... 1 Description of Software Features ............................................................................. 2 Software Specifications ..........................................................................................
PAGE 4
Table of Contents Field Attributes ............................................................................................................ 26 Displaying Switch Hardware/Software Versions - Web ................................................. 27 Displaying Switch Hardware/Software Versions - CLI.................................................... 27 Displaying Bridge Extension Capabilities................................................................ 27 Field Attributes ............................
PAGE 5
Table of Contents Remote Logs Configuration - Web ................................................................................ 41 Remote Logs Configuration - CLI .................................................................................. 41 Displaying Log Messages........................................................................................ 41 Displaying Log Messages - Web....................................................................................
PAGE 6
Table of Contents Configuring SNMPv3 Users..................................................................................... 50 Command Attributes .................................................................................................... 50 Configuring SNMPv3 Users - Web................................................................................. 51 Configuring SNMPv3 Users - CLI ...................................................................................
PAGE 7
Table of Contents Configuring Port Security ....................................................................................... 64 Command Usage ........................................................................................................... 65 Command Attributes .................................................................................................... 65 Configuring Port Security - Web ...................................................................................
PAGE 8
Table of Contents Command Usage ........................................................................................................... 77 Configuring a MAC ACL - Web...................................................................................... 77 Configuring a MAC ACL - CLI ........................................................................................ 78 Configuring ACL Masks...........................................................................................
PAGE 9
Table of Contents Statically Configuring a Trunk................................................................................. 89 Command Usage ........................................................................................................... 89 Command Attributes .................................................................................................... 89 Statically Configuring a Trunk - Web.............................................................................
PAGE 10
Table of Contents Showing Port Statistics - Web ..................................................................................... 102 Showing Port Statistics - CLI........................................................................................ 103 Power Over Ethernet (PoE) Settings ..............................................................105 Overview .............................................................................................................. 105 Switch Power Status......
PAGE 11
Table of Contents VLAN Configuration .......................................................................................123 Overview - IEEE 802.1Q VLANs............................................................................ 123 Assigning Ports to VLANs ........................................................................................... 123 Forwarding Tagged/Untagged Frames .......................................................................
PAGE 12
Table of Contents Mapping CoS Values to Egress Queues ...................................................................... 138 Mapping CoS Values to Egress Queues - Web ............................................................ 139 Mapping CoS Values to Egress Queues - CLI .............................................................. 139 Selecting the Queue Mode ......................................................................................... 139 Selecting the Queue Mode - Web ................
PAGE 13
Table of Contents Specifying Interfaces Attached to a Multicast Router ................................................. 152 Specifying Interfaces Attached to a Multicast Router - Web....................................... 152 Specifying Interfaces Attached to a Multicast Router - CLI ......................................... 153 Displaying Port Members of Multicast Services .......................................................... 153 Displaying Port Members of Multicast Services - Web...................
PAGE 14
Table of Contents line .......................................................................................................................................... 165 login ........................................................................................................................................ 165 password ................................................................................................................................ 166 timeout login response .................................
PAGE 15
Table of Contents show ssh ..................................................................................................................................180 Event Logging Commands ...................................................................................... 181 logging on ...............................................................................................................................181 show public-key ...........................................................................
PAGE 16
Table of Contents tacacs-server host ................................................................................................................... 202 tacacs-server port ................................................................................................................... 202 tacacs-server key ..................................................................................................................... 202 show tacacs-server ........................................................
PAGE 17
Table of Contents snmp-server contact ................................................................................................................225 snmp-server location ...............................................................................................................225 snmp-server host .....................................................................................................................226 snmp-server enable traps ..........................................................
PAGE 18
Table of Contents spanning-tree edge-port ......................................................................................................... 252 spanning-tree portfast ............................................................................................................ 252 spanning-tree link-type ........................................................................................................... 253 spanning-tree protocol-migration ......................................................
PAGE 19
Table of Contents map ip dscp (Global Configuration) .........................................................................................268 map ip dscp (Interface Configuration) .....................................................................................269 show map ip port ....................................................................................................................269 map access-list ip ..................................................................................
PAGE 20
Table of Contents xviii NXA-ENET24 - Software Management Guide
PAGE 21
Introduction Introduction The NXA-ENET24 Fast Ethernet switch is specifically designed to protect the video streams coming from AMX’s MAX units to the Audio Video Modules (AVM). Standard switches will reduce bandwidth from all applications when there is heavy data traffic passing through the switch. For streaming audio and video applications this will cause skipping and jitter in the audio and video feeds. This is unacceptable for AMX’s applications.
PAGE 22
Introduction Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based VLANs provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network.
PAGE 23
Introduction addresses can be used to provide network security by restricting access for a known host to a specific port. IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 8K addresses. Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port.
PAGE 24
Introduction RIP – This protocol uses a distance-vector approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. OSPF – This approach uses a link state routing protocol to generate a shortest-path tree, then builds up its routing table based on this tree.
PAGE 25
Introduction Software Specifications (Cont.) Software Features (Cont.) Port Trunking: • Static trunks (Cisco EtherChannel compliant) Spanning Tree Protocol: • Spanning Tree Protocol (STP, IEEE 802.1D) • Dynamic trunks (Link Aggregation Control Protocol) • Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) VLAN Support: • Up to 255 groups; port-based, protocol-based, or tagged (802.
PAGE 26
Introduction Software Specifications (Cont.) Standards: • IEEE 802.3 Ethernet, • IEEE 802.3u Fast Ethernet • IEEE 802.3x full-duplex flow control (ISO/IEC 8802-3) • IEEE 802.3z Gigabit Ethernet, • IEEE 802.3ab 1000BASE-T • IEEE 802.3ac VLAN tagging • IEEE 802.1Q VLAN • IEEE 802.3ad Link Aggregation Control Protocol • IEEE 802.1D Spanning Tree Protocol and traffic priorities • IEEE 802.1p priority tags • IEEE 802.1w Rapid Spanning Tree Protocol • IEEE 802.
PAGE 27
Introduction Software Specifications (Cont.) Management Information Bases: • Bridge MIB (RFC 1493) • Entity MIB (RFC 2737) • Ethernet MIB (RFC 2665) • Ether-like MIB (RFC 1643) • Extended Bridge MIB (RFC 2674) • Extensible SNMP Agents MIB (RFC 2742) • Forwarding Table MIB (RFC 2096) • IGMP MIB (RFC 2933) • Interface Group MIB (RFC 2233) • Interfaces Evolution MIB (RFC 2863) • IP Multicasting related MIBs • MIB II (RFC 1213) • PIM MIB (RFC 2934) • Port Access Entity MIB (IEEE 802.
PAGE 28
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (See Downloading System Software from a Server section on page 34.) The following table lists some of the basic system defaults.
PAGE 29
Introduction System Defaults (Cont.
PAGE 30
Introduction System Defaults (Cont.) IP Settings Multicast Filtering Management VLAN 1 IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
PAGE 31
Initial Configuration Initial Configuration Connecting to the Switch Configuration Options This 24-Port Fast Ethernet PoE Switch switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). The IP address for this switch is assigned via DHCP by default.
PAGE 32
Initial Configuration Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. When switches are stacked together, you must connect to the RS-232 port on the Master unit to be able to access the CLI. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
PAGE 33
Initial Configuration The onboard program only provides access to basic configuration functions. To access the full range of SNMP management functions, you must use SNMP-based network management software. Basic Configuration Console Connection The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec).
PAGE 34
Initial Configuration Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN. Manual Configuration You can manually assign an IP address to the switch.
PAGE 35
Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config”. Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart Console#show ip interface IP interface vlan IP address and netmask: 10.1.0.54 255.255.255.
PAGE 36
Initial Configuration Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server host host-address community-string”, where “host-address” is the IP address for the trap receiver and “community-string” is the string associated with that host. Press . 2.
PAGE 37
Initial Configuration Configuring Power over Ethernet The 24-Port Fast Ethernet PoE Switch’s 24 10/100 Mbps ports support the IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the unused pairs of wires in the connecting Ethernet cable. Any 802.3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source.
PAGE 38
Initial Configuration 18 NXA-ENET24 - Software Management Guide
PAGE 39
Web Interface Web Interface Overview This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
PAGE 40
Web Interface Home Page When your Web browser connects with the switch’s Web agent, the home page is displayed as shown in FIG. 1. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. FIG. 1 Homepage The examples in this chapter are based on the ES3526YA.
PAGE 41
Web Interface Panel Display The web agent displays an image of the switch’s ports (FIG. 2). The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page (see the Port Configuration section on page 85). FIG.
PAGE 42
Web Interface Switch Main Menu (Cont.
PAGE 43
Web Interface Switch Main Menu (Cont.
PAGE 44
Web Interface Switch Main Menu (Cont.) Menu Description Priority • Default Port Priority Sets the default priority for each port • Default Trunk Priority Sets the default priority for each trunk • Traffic Classes Maps IEEE 802.
PAGE 45
Basic Configuration Basic Configuration Displaying System Information You can easily identify the system by providing a descriptive name, location and contact information. Field Attributes • Model Number: The switch model number. • S/W Version #: The current software version number. • System Name: Name assigned to the switch system. • Object ID: MIB II object ID for switch’s network management subsystem. • Location: Specifies the system location.
PAGE 46
Basic Configuration Displaying System Information - CLI Specify the hostname, location and contact information. FIG. 4 CLI - Displaying System Information Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Field Attributes Main Board • Serial Number: The serial number of the switch.
PAGE 47
Basic Configuration Displaying Switch Hardware/Software Versions - Web Click System, Switch Information. FIG. 5 CLI - Display Switch Information Displaying Switch Hardware/Software Versions - CLI Use the Console#show version command to display version information. FIG. 6 Web - Displaying Switch Information Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs.
PAGE 48
Basic Configuration Field Attributes (Cont.) • Configurable PVID Tagging: This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. Refer to the VLAN Configuration section on page 123. • Local VLAN Capable: This switch does not support multiple local bridges (i.e., multiple Spanning Trees). • GMRP: GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups.
PAGE 49
Basic Configuration Command Attributes Command Attributes • Management VLAN: This is the only VLAN through which you can gain management access to the switch. By default, all ports on the switch are members of VLAN 1, so a management station can be connected to any port on the switch. However, if other VLANs are configured and you change the Management VLAN, you may lose management access to the switch.
PAGE 50
Basic Configuration Using DHCP/BOOTP - Web If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Click System, IP. Specify the Management VLAN, set the IP Address Mode to DHCP or BOOTP, and click Apply to save your changes. The switch will broadcast a request for IP configuration settings on the next power reset. Otherwise, you can click Restart DHCP to immediately request a new address. FIG.
PAGE 51
Basic Configuration Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can set the switch to use new firmware without overwriting the previous version. The switch also allows a runtime code file to be copied to or from another switch unit in the stack.
PAGE 52
Basic Configuration To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and then click Apply. Note that the file currently designated as the startup code cannot be deleted. FIG. 16 Deleting Files Downloading System Software from a Server - CLI To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names.
PAGE 53
Basic Configuration Saving or Restoring Configuration Settings You can upload/download configuration setting files to/from a TFTP server or copy files to and from switch units in a stack. The configuration files can be later downloaded to restore the switch’s settings. Command Usage When updating the PoE controller, first copy the PD controller file from a TFTP server to the switch's file system (tftp to file), and then copy this file to the controller (file to file).
PAGE 54
Basic Configuration Downloading Configuration Settings from a Server - Web You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Click System, File, Copy.
PAGE 55
Basic Configuration This example shows how to download a PoE controller file from a TFTP server. Console#copy tftp file TFTP server IP address: 10.3.4.50 Choose file type: 1. config: 2. opcode 3. PD_Controller: <1-3>: 3 Source file name: 7012_007.s19 Destination file name: PoE-test Write to FLASH Programming. Write to FLASH finish. Success. Console# 233 This example shows how to copy a PoE controller file from another unit in the stack.
PAGE 56
Basic Configuration Command Attributes (Cont.) • Speed: Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port or specify “Auto.” • Default: 9600 bps • Stop Bits: Sets the number of the stop bits transmitted per byte. • Default: 1 stop bit • Password: Specifies a password for the line connection.
PAGE 57
Basic Configuration Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the Web or CLI interface. Command Attributes Command Attributes • Telnet Status: Enables or disables Telnet access to the switch.
PAGE 58
Basic Configuration Telnet Settings - CLI Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. FIG.
PAGE 59
Configuring Event Logging Configuring Event Logging Overview The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
PAGE 60
Configuring Event Logging System Log Configuration - Web Click System, Log, System Logs. Specify System Log Status, then change the level of messages to be logged to RAM and flash memory, then click Apply. FIG. 26 Web - System Logs System Log Configuration - CLI Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Type “show log ram” to display log messages in the RAM buffer. FIG.
PAGE 61
Configuring Event Logging Remote Logs Configuration - Web Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. FIG. 28 Remote Logs Remote Logs Configuration - CLI Enter the syslog server host IP address, choose the facility type and set the logging trap. FIG.
PAGE 62
Configuring Event Logging Displaying Log Messages - CLI This example shows the event message stored in RAM. FIG. 31 Displaying Logs Sending SMTP Alerts To alert system administrators of problems, the switch can use SMTP (Simple Mail Transfer Protocol) to send email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
PAGE 63
Configuring Event Logging Sending SMPT Alerts - Web Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server text box and then click Add. To delete an IP address, click the entry in the SMTP Server List and then click Remove. Specify up to five email addresses to receive the alert messages, and then click Apply. FIG.
PAGE 64
Configuring Event Logging Resetting the System Resetting the System - Web Select System, Reset to reboot the switch. When prompted, confirm that you want reset the switch. FIG. 34 Web - Resetting the Switch Resetting the System - CLI Use the reload command to reboot the system. FIG. 35 CLI - Resetting the Switch When restarting the system, it always runs the Power-On Self-Test.
PAGE 65
Configuring Event Logging Setting the System Clock - CLI This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings: FIG. 37 CLI - Configuring SNTP Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude.
PAGE 66
Configuring Event Logging 46 NXA-ENET24 - Software Management Guide
PAGE 67
SNMP Protocol SNMP Protocol Overview Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
PAGE 68
SNMP Protocol Enabling SNMP Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes Command Attributes • SNMP Agent Status: Enables SNMP on the switch. Enabling SNMP - Web Select SNMP, Agent Status. FIG. 40 Web - Enabling the SNMP Agent Enabling SNMP - CLI The following example enables SNMP on the switch.
PAGE 69
SNMP Protocol Setting Community Access Strings - CLI The following example adds the string “spiderman” with read/write access. FIG. 42 CLI - Configuring SNMP Community Strings Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
PAGE 70
SNMP Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
PAGE 71
SNMP Protocol Command Attributes (Cont.) • Authentication: The method used for user authentication; MD5 or SHA • Privacy: The encryption algorithm use for data privacy; only 56-bit DES is currently available • Actions: Enables the user to be assigned to another SNMPv3 group. Configuring SNMPv3 Users - Web Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list.
PAGE 72
SNMP Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read and write views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes Command Attributes • Group Name: The name of the SNMP group. (Range: 1-32 characters) • Model: The group security model; SNMP v1, v2c or v3.
PAGE 73
SNMP Protocol Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes Command Attributes • View Name: The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees: Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
PAGE 74
SNMP Protocol Setting SNMPv3 Views - CLI Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view296 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 295 View Name: readaccess Subtree OID: 1.3.6.1.
PAGE 75
User Authentication User Authentication Overview You can restrict management access to this switch and provide secure network access using the following options: User Accounts – Manually configure access rights on the switch for specified users. Authentication Settings – Use remote authentication to configure access rights. HTTPS Settings – Provide a secure web connection. SSH Settings – Provide a secure shell (for secure Telnet access). Port Security – Configure secure addresses for individual ports. 802.
PAGE 76
User Authentication Configuring User Accounts - CLI Assign a user name to access-level 15 (i.e., administrator), then specify the password. FIG. 50 CLI - Access Levels Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
PAGE 77
User Authentication Command Attributes Command Attributes • Authentication: Select the authentication, or authentication sequence required: • Local – User authentication is performed only locally by the switch. • Radius – User authentication is performed using a RADIUS server only. • TACACS – User authentication is performed using a TACACS+ server only. • [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.
PAGE 78
User Authentication Authentication Settings - Web Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. FIG. 52 Web - Authentication Settings Authentication Settings - CLI Specify all the required parameters to enable logon authentication. FIG.
PAGE 79
User Authentication Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
PAGE 80
User Authentication Configuring HTTPS - Web Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. FIG. 54 Web - HTTPS Settings Configuring HTTPS - CLI CLI – This example enables the HTTP secure server and modifies the port number. FIG. 55 CLI - HTTPS Settings Replacing the Default Secure-Site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
PAGE 81
User Authentication Note that you need to install an SSH client on the management station to access the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0. Command Usage The SSH server on this switch supports both password and public key authentication.
PAGE 82
User Authentication e. The switch compares the decrypted bytes to the original bytes it sent. If the two sets match, this 1. means that the client's private key corresponds to an authorized public key, and the client is authenticated. To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys. 2.
PAGE 83
User Authentication Configuring the Secure Shell - CLI This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. FIG. 58 CLI - SSH Host-Key Settings Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes Field Attributes • SSH Server Status: Allows you to enable/disable the SSH server feature on the switch.
PAGE 84
User Authentication Configuring the SSH Server - Web Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. FIG. 59 Web - SSH Server Settings Configuring the SSH Server - CLI This example enables SSH, sets the authentication parameters, and displays the current configuration.
PAGE 85
User Authentication Command Usage A secure port has the following restrictions: Cannot use port monitoring. Cannot be a multi-VLAN port. It cannot be used as a member of a static or dynamic trunk. It should not be connected to a network interconnection device. If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (see the Port Configuration section on page 85). Command Attributes Command Attributes • Port: Port number.
PAGE 86
User Authentication Configuring 802.1x Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
PAGE 87
User Authentication Displaying and Configuring the 802.1x Global Setting The 802.1x protocol must be enabled globally for the switch system before port settings are active. Command Attributes Command Attributes • 802.1x System Authentication Control: The global setting for 802.1x. • Default: Disabled Displaying and Configuring the 802.1x Global Setting - Web To display the current global setting for 802.1x, click Security, 802.1X, Information. FIG. 64 Web - 802.
PAGE 88
User Authentication Command Attributes (Cont.) • Mode: Sets the authentication mode to one of the following options: • Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access. • Force-Authorized – Forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.) • Force-Unauthorized – Forces the port to deny access to all clients, either dot1xaware or otherwise.
PAGE 89
User Authentication Configuring Port Settings for 802.1x - CLI This example sets the 802.1x parameters on port 2. For a description of the additional fields displayed in this example, see show dot1x section on page 259. FIG. 67 CLI - 802.
PAGE 90
User Authentication Displaying 802.1x Statistics This switch can display statistics for dot1x protocol exchanges for any port. 802.1x Statistics Parameter Description Rx EXPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
PAGE 91
User Authentication Displaying 802.1x Statistics - CLI This example displays the 802.1x statistics for port 4. FIG. 69 CLI - Displaying 802.1x Statistics Filtering Addresses for SNMP Client Access The switch allows you to create a list of up to 16 IP addresses or IP address groups that are allowed access to the switch via SNMP management software.
PAGE 92
User Authentication Filtering Addresses for SNMP Client Access - Web Click SNMP, SNMP IP Filtering. To add a client, enter the new address, the subnet mask for a node or an address range, and then click “Add IP Filtering Entry.” FIG. 70 Filtering Addresses for SNMP Access Filtering Addresses for SNMP Client Access - CLI This example allows SNMP access for a specific client. Console(config)#snmp ip filter 10.1.2.3 255.255.255.
PAGE 93
Configuring ACLs Configuring ACLs Overview Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
PAGE 94
Configuring ACLs Setting the ACL Name and Type - Web Click Security, ACL, ACL Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. FIG. 71 Web - Selecting ACL Type Setting the ACL Name and Type - CLI This example creates a standard IP ACL named bill. FIG.
PAGE 95
Configuring ACLs Configuring a Standard IP ACL - Web Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. I If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. FIG. 73 Web - Configuring Standard ACLs Configuring a Standard IP ACL - CLI This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.
PAGE 96
Configuring ACLs Command Attributes (Cont.) • Source/Destination Port Bitmask: Decimal number representing the port bits to match. • Control Code: Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. • Range: 0-65535 • Range: 0-63 • Control Code Bitmask: Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code.
PAGE 97
Configuring ACLs FIG. 76 Configuring Extended ACLs Configuring a MAC ACL Command Attributes Command Attributes • Action: An ACL can contain permit rules, deny rules, or a combination of both. (Default: Permit rules) • Source/Destination Address Type: Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
PAGE 98
Configuring ACLs FIG. 77 Web - Configuring MAC ACLs Configuring a MAC ACL - CLI This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. FIG. 78 CLI - Configuring MAC ACLs Configuring ACL Masks You can specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL.
PAGE 99
Configuring ACLs Configuring ACL Masks - Web Click Security, ACL, ACL Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. FIG. 79 Web - ACL Mask Configuration Configuring ACL Masks - CLI This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet.
PAGE 100
Configuring ACLs Configuring an IP ACL Mask - Web Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add. FIG.
PAGE 101
Configuring ACLs Configuring a MAC ACL Mask - Web Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s). Or check for rules where a packet format was specified. Then click Add. FIG.
PAGE 102
Configuring ACLs The switch does not support the explicit “deny any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in the ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. Command Attributes Command Attributes • Port: Fixed port or SFP module. (Range: 1-24) • IP: Specifies the IP ACL to bind to a port. • MAC: Specifies the MAC ACL to bind to a port. • IN: ACL for ingress packets. • OUT: ACL for egress packets.
PAGE 103
Filtering IPs for Management Access Filtering IPs for Management Access Overview You can specify the client IP addresses that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
PAGE 104
Filtering IPs for Management Access Filtering IP Addresses for Management Access - CLI This example restricts management access for Telnet and SNMP clients. Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.30 Console(config)#management snmp-client 10.1.2.3 255.255.255.
PAGE 105
Port Configuration Port Configuration Overview You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name: Interface label. • Type: Indicates the port type (10BASE-T, 100BASE-TX, 100BASE-FX, 1000BASE-LX, 1000BASE-GBIC). • Admin Status: Shows if the interface is enabled or disabled. • Oper Status: Indicates if the link is Up or Down.
PAGE 106
Port Configuration Field Attributes (CLI - Cont.) • Capabilities: Specifies the capabilities to be advertised for a port during auto-negotiation. To access this item on the web, see Configuring Interface Connections section on page 87. The following capabilities are supported.
PAGE 107
Port Configuration Configuring Interface Connections You can use the Port Configuration or Trunk Configuration page to enable/disable an interface, set autonegotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. Command Attributes Command Attributes • Name Allows you to label an interface. (Range: 1-64 characters) • Admin Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g.
PAGE 108
Port Configuration Configuring Interface Connections - Web Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. FIG. 86 Web - Port/Trunk Configuration Configuring Interface Connections - CLI Select the interface, and then enter the required settings. FIG. 87 CLI - Port/Trunk Configuration Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link.
PAGE 109
Port Configuration All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN. STP, VLAN, and IGMP settings can only be made for the entire trunk. Statically Configuring a Trunk Command Usage When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
PAGE 110
Port Configuration Statically Configuring a Trunk - CLI This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. FIG. 89 CLI - Configuring Port Trunks Enabling LACP on Selected Ports Command Usage To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP.
PAGE 111
Port Configuration Enabling LACP on Selected Ports - Web Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. FIG. 90 Web - LACP Configuration Enabling LACP on Selected Ports - CLI The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. FIG.
PAGE 112
Port Configuration Dynamically Creating a Port Channel Ports assigned to a common port channel must meet the following criteria: Ports must have the same LACP System Priority. Ports must have the same LACP port Admin Key. However, if the “port channel” Admin Key is set (page 318), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group. If the port channel admin key (LACP admin key, page 318) is not set (through the CLI) when a channel group is formed (i.e.
PAGE 113
Port Configuration Dynamically Creating a Port Channel - Web Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device. After you have completed setting the port LACP parameters, click Apply. FIG.
PAGE 114
Port Configuration Displaying LACP Port Counters You can display statistics for LACP protocol messages. The following table describes the Counter Information fields: Counter Information Fields Counter Information Fields • LACPDUs Sent: Number of valid LACPDUs transmitted from this channel group. • LACPDUs Received: Number of valid LACPDUs received on this channel group. • Marker Sent: Number of valid Marker PDUs transmitted from this channel group.
PAGE 115
Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Displaying LACP Local Settings • Oper Key: Current operational value of the key for the aggregation port. • Admin Key: Current administrative value of the key for the aggregation port. • LACPDUs Internal: Number of seconds before invalidating received LACPDU information.
PAGE 116
Port Configuration Displaying LACP Settings and Status for the Local Side - CLI The following example displays the LACP configuration settings and operational state for the local side of port channel 1. FIG. 97 CLI - Displaying LACP Port Information Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation.
PAGE 117
Port Configuration Displaying LACP Settings and Status for the Remote Side - CLI The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. FIG. 99 CLI - Displaying Remote LACP Port Information Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
PAGE 118
Port Configuration Setting Broadcast Storm Thresholds - Web Click Port, Broadcast Control. Set the threshold any port, click Apply. FIG. 100 Web - Enabling Port Broadcast Control Setting Broadcast Storm Thresholds - CLI Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2. FIG.
PAGE 119
Port Configuration Command Attributes Command Attributes • Mirror Sessions: Displays a list of current mirror sessions. • Source Unit: The unit whose port traffic will be monitored. • Source Port: The port whose traffic will be monitored. • Type: Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. • Target Unit: The unit whose port will “duplicate” or “mirror” the traffic on the source port.
PAGE 120
Port Configuration Configuring Rate Limits - Web Click Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply. FIG. 104 Web - Output Rate Limit Port Configuration Configuring Rate Limits - CLI This example sets the rate limit for input and output traffic passing through port 3 to 600 Mbps. FIG.
PAGE 121
Port Configuration Port Statistics (Cont.) Interface Statistics (Cont.) • Transmit Octets: The total number of octets transmitted out of the interface, including framing characters. • Transmit Unicast Packets: The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
PAGE 122
Port Configuration Port Statistics (Cont.) RMON Statistics (Cont.) • Collisions: The best estimate of the total number of collisions on this Ethernet segment. • Received Frames: The total number of frames (bad, broadcast and multicast) received. • Broadcast Frames: The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets.
PAGE 123
Port Configuration Showing Port Statistics - CLI This example shows statistics for port 13. FIG.
PAGE 124
Port Configuration 104 NXA-ENET24 - Software Management Guide
PAGE 125
Power Over Ethernet (PoE) Settings Power Over Ethernet (PoE) Settings Overview This switch can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device. Detection and authentication prevent damage to non-802.3af compliant devices.
PAGE 126
Power Over Ethernet (PoE) Settings Switch Power Status - CLI This example displays the current power status for the switch.
PAGE 127
Power Over Ethernet (PoE) Settings Displaying Port Power Status - Web Click PoE, followed by Power Port Status. FIG. 110 Web - Power Port Status Displaying Port Power Status - CLI This example displays the PoE status and the priority of port 1.
PAGE 128
Power Over Ethernet (PoE) Settings Configuring Port PoE Power - Web Click PoE, Power Port Configuration. Enable PoE power on selected ports, set the priority and the power budget, and then click Apply. FIG. 111 Web - Port Power Configuration Configuring Port PoE Power - CLI This example sets the PoE power budget for port 1 to 8 watts, the priority to high (2), and then enables the power.
PAGE 129
Address Table Settings Address Table Settings Overview Switches store the addresses for all known devices. This information is used to route traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
PAGE 130
Address Table Settings Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports. Command Attributes • Interface: Indicates a port or trunk.
PAGE 131
Address Table Settings Changing the Aging Time - Web Click Address Table, Address Aging. Specify the new aging time, click Apply. FIG. 116 Web - Setting the Address Aging Time Changing the Aging Time - CLI This example sets the aging time to 300 seconds. FIG.
PAGE 132
Address Table Settings 112 NXA-ENET24 - Software Management Guide
PAGE 133
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration Overview The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
PAGE 134
Spanning Tree Algorithm Configuration Displaying Global Settings Field Attributes • Spanning Tree State: Shows if the switch is enabled to participate in an STA-compliant network. • Bridge ID: A unique identifier for this bridge, consisting of the bridge priority and MAC address (where the address is taken from the switch system). • Max Age: The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure.
PAGE 135
Spanning Tree Algorithm Configuration Field Attributes (Cont.) • Root Forward Delay: The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
PAGE 136
Spanning Tree Algorithm Configuration STP and RSTP BPDUs are transmitted as untagged frames, and will cross any VLAN boundaries. STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.
PAGE 137
Spanning Tree Algorithm Configuration Configuration Settings for RSTP Note: The following attributes apply to both STP and RSTP. • Path Cost Method: The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. • Long: Specifies 32-bit based values that range from 1-200,000,000. • Short: Specifies 16-bit based values that range from 1-65535.
PAGE 138
Spanning Tree Algorithm Configuration Displaying Interface Settings The STP Port Information and STP Trunk Information pages display the current status of ports and trunks in the Spanning Tree. Command Attributes Note: The following attributes are read-only and cannot be changed: • Spanning Tree: Shows if STA has been enabled on this interface.
PAGE 139
Spanning Tree Algorithm Configuration Command Attributes (Cont.) • Port Role (Cont.) The role is set to disabled (i.e., disabled port) if a port has no role within the spanning tree. R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port.
PAGE 140
Spanning Tree Algorithm Configuration Displaying Interface Settings - Web Click Spanning Tree, STA Port Information or STA Trunk Information. FIG. 123 Web - Displaying Spanning Tree Information Displaying Interface Settings - CLI This example shows general STA configuration and attributes for port 5. FIG. 124 CLI - Displaying Spanning Tree Information Configuring Interface Settings You can configure RSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
PAGE 141
Spanning Tree Algorithm Configuration Command Attributes (Cont.) • Priority: Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
PAGE 142
Spanning Tree Algorithm Configuration Configuring Interface Settings - CLI This example sets STA attributes for port 5. FIG.
PAGE 143
VLAN Configuration VLAN Configuration Overview - IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
PAGE 144
VLAN Configuration VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
PAGE 145
VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged or untagged VLANs. Each port on the switch is therefore capable of passing tagged or untagged frames.
PAGE 146
VLAN Configuration Displaying Basic VLAN Information - CLI Enter the following command. FIG. 132 CLI - Displaying Basic VLAN information Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
PAGE 147
VLAN Configuration • Status: Shows if this VLAN is enabled or disabled. • Active: VLAN is operational. • Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel Groups: Shows the VLAN interface members. Displaying Current VLANs - CLI Current VLAN information can be displayed with the following command. FIG. 134 CLI - Displaying Current VLANs Creating VLANs Use the VLAN Static List to create or remove VLAN groups.
PAGE 148
VLAN Configuration Creating VLANs - CLI This example creates a new VLAN. FIG. 136 CLI - Configuring a VLAN Static List Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. 1.
PAGE 149
VLAN Configuration Adding Static Members to VLANs - Web Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. FIG. 137 Web - Configuring a VLAN Static Table Adding Static Members to VLANs - CLI The following example adds tagged and untagged ports to VLAN 2. FIG.
PAGE 150
VLAN Configuration Adding Static Members to VLANs - CLI This example adds Port 3 to VLAN 1 as a tagged port, and removes Port 3 from VLAN 2. FIG. 140 CLI - VLAN Static Membership by Port Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers.
PAGE 151
VLAN Configuration Command Attributes (Cont.) • GARP Leave Timer: The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
PAGE 152
VLAN Configuration Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLAN ports: promiscuous, and community ports. A promiscuous port can communicate with all interfaces within a private VLAN. Community ports can only communicate with other ports in their own community VLAN, and with their designated promiscuous ports.
PAGE 153
VLAN Configuration Displaying Current Private VLANs - CLI This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3. FIG.
PAGE 154
VLAN Configuration Associating Community VLANs - Web Click Private VLAN, Private VLAN Association. Select the required primary VLAN from the scroll-down box, highlight one or more community VLANs in the Non-Association list box, and click Add to associate these entries with the selected primary VLAN. A community VLAN can only be associated with one primary VLAN. FIG. 147 Web - Private VLAN Association Associating Community VLANs - CLI This example associates community VLANs 6 and 7 with primary VLAN 5.
PAGE 155
VLAN Configuration Displaying Private VLAN Interface Information - CLI This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3. FIG.
PAGE 156
VLAN Configuration Configuring Private VLAN Interfaces - CLI This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3. FIG.
PAGE 157
Class of Service Configuration Class of Service Configuration Overview Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch is designed with CoS to specifically support AMX’s MAX audio and video streams, maximizing audio and video performance as it is transmitted throughout the network.
PAGE 158
Class of Service Configuration Setting the Default Priority for Interfaces - CLI This example assigns a default priority of 5 to port 3. FIG. 154 CLI - Port Priority Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on Weighted Round Robin (WRR). Up to 8 separate traffic priorities are defined in IEEE 802.1p.
PAGE 159
Class of Service Configuration Command Attributes • Priority: CoS value. (Range: 0-7, where 7 is the highest priority) • Traffic Class: Output queue buffer. • Range: 0-3, where 3 is the highest CoS priority queue • CLI shows Queue ID. Mapping CoS Values to Egress Queues - Web Click Priority, Traffic Classes. Mark an interface and click Select to display the current mapping of CoS values to output queues. Assign priorities to the traffic classes (i.e.
PAGE 160
Class of Service Configuration Selecting the Queue Mode - Web Click Priority, Queue Mode. Select Strict or WRR, then click Apply. FIG. 158 Web - Selecting the Queue Mode Selecting the Queue Mode - CLI The following sets the queue mode to strict priority service mode. FIG. 159 CLI - Selecting the Queue Mode Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue.
PAGE 161
Class of Service Configuration Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP/UDP port. If priority bits are used, the ToS octet may contain three bits for IP Precedence or six bits for Differentiated Services Code Point (DSCP) service.
PAGE 162
Class of Service Configuration Command Attributes • IP PrecedencePriority Table: Shows the IP Precedence to CoS map. • Class of Service Value: Maps a CoS value to the selected IP Precedence value. Note that “0” represents low priority and “7” represent high priority. IP Precedence settings apply to all interfaces. Mapping IP Precedence - Web Click Priority, IP Precedence Priority. Select a port or trunk from the Interface field.
PAGE 163
Class of Service Configuration Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, and it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
PAGE 164
Class of Service Configuration Mapping DSCP Priority - CLI The following example globally enables DSCP Priority service on the switch, maps DSCP value 1 to CoS value 0 on port 5, and then displays all the DSCP Priority settings. FIG. 167 CLI - Mapping IP DSCP Priority Values Mapping specific values for IP Precedence is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch.
PAGE 165
Class of Service Configuration FIG. 169 Web - Mapping IP Port Priority Mapping specific values for IP Precedence is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. Mapping IP Port Priority - CLI The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. FIG.
PAGE 166
Class of Service Configuration Copy Settings - Web Click Priority, Copy Settings. Select the source priority settings to be copied, enter the source port or trunk number and choose the destination interface/s to copy to, then select Copy Settings. FIG. 171 Web - Copy Settings Copy Settings - CLI CLI – The following example shows how to map HTTP traffic to CoS value 0 on port 5, maps IP precedence to CoS 0 to port 6, and enables mapping IP DSCP globally.
PAGE 167
Class of Service Configuration Mapping CoS Values to ACLs - Web Click Priority, ACL CoS Priority. Select a port, select an ACL rule, specify a CoS priority, then click Add. FIG. 172 Web - ACL CoS Priority Mapping CoS Values to ACLs - CLI This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 1. FIG. 173 CLI - ACL CoS Priority Changing Priorities Based on ACL Rules You can change traffic priorities for frames matching the defined ACL rule.
PAGE 168
Class of Service Configuration Changing Priorities Based on ACL Rules - Web Click Priority, ACL Marker. Select a port and an ACL rule. To specify a ToS priority, mark the Precedence/DSCP check box, select Precedence or DSCP from the scroll-down box, and enter a priority. To specify an 802.1p priority, mark the 802.1p Priority check box, and enter a priority. Then click Add. FIG.
PAGE 169
Multicast Filtering Multicast Filtering Overview Multicasting is used to support real-time applications such as video conferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
PAGE 170
Multicast Filtering Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
PAGE 171
Multicast Filtering Configuring IGMP Snooping and Query Parameters - Web Click IGMP, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. The default settings are shown below. FIG. 176 Web - IGMP Configuration Configuring IGMP Snooping and Query Parameters - CLI This example modifies the settings for multicast filtering, and then displays the current status. FIG.
PAGE 172
Multicast Filtering Displaying Interfaces Attached to a Multicast Router - Web Click IGMP, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. FIG. 178 Web - Displaying Multicast Router Port Information Displaying Interfaces Attached to a Multicast Router - CLI This example shows that Port 11 has been statically configured as a port attached to a multicast router. FIG.
PAGE 173
Multicast Filtering Specifying Interfaces Attached to a Multicast Router - CLI This example configures port 11 as a multicast router port within VLAN 1. FIG. 181 CLI - Static Multicast Router Port Configuration Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast IP address. Command Attributes • VLAN ID: Selects the VLAN in which to display port members.
PAGE 174
Multicast Filtering Command Attributes • Interface: Activates the Port or Trunk scroll down list. • VLAN ID: Selects the VLAN to propagate all multicast traffic coming from the attached multicast router/ switch. • Multicast IP: The IP address for a specific multicast service. • Port or Trunk: Specifies the interface attached to a multicast router. Assigning Ports to Multicast Services - Web Click IGMP, IGMP Member Port Table.
PAGE 175
Configuring Domain Name Service Configuring Domain Name Service Overview The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
PAGE 176
Configuring Domain Name Service Configuring General DNS Server Parameters - Web Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use for address resolution, enable domain lookup status, and click Apply. FIG. 186 Configuring DNS Configuring General DNS Server Parameters - CLI This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used.
PAGE 177
Configuring Domain Name Service Configuring Static DNS Host to Address Entries - Web Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. FIG. 187 Web - Mapping IP Addresses to a Host Name Configuring Static DNS Host to Address Entries - CLI This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55379 Console(config)#ip host rd6 10.1.0.
PAGE 178
Configuring Domain Name Service Displaying the DNS Cache - Web Select DNS, Cache. FIG. 188 Web - Displaying the DNS Cache Displaying the DNS Cache - CLI This example displays all the resource records learned from the designated name servers. Console#show dns cache384 NO FLAG TYPE IP 0 4 CNAME 207.46.134.222 1 4 CNAME 207.46.134.190 2 4 CNAME 207.46.134.155 3 4 CNAME 207.46.249.222 4 4 CNAME 207.46.249.27 5 4 ALIAS POINTER TO:4 6 4 CNAME 207.46.68.27 7 4 ALIAS POINTER TO:6 8 4 CNAME 65.54.131.
PAGE 179
CLI (Command Line Interface) CLI (Command Line Interface) Overview This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
PAGE 180
CLI (Command Line Interface) Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.1 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 If your corporate network is connected to another network outside your office or to the Internet, you need to apply for a registered IP address. However, if you are attached to an isolated network, then you can use any IP address that matches the network segment to which you are attached.
PAGE 181
CLI (Command Line Interface) Getting Help on Commands You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database).
PAGE 182
CLI (Command Line Interface) Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
PAGE 183
CLI (Command Line Interface) Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
PAGE 184
CLI (Command Line Interface) Keystroke Commands (Cont.) Keystroke Function Ctrl-E Shifts cursor to end of command line. Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line. Ctrl-W Deletes the last word typed.
PAGE 185
CLI (Command Line Interface) Command Group Index (Cont.
PAGE 186
CLI (Command Line Interface) Line Commands (Cont.) Command Function password Syntax: Use this command to specify the password for a line. Use the no form to remove the password. password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password • password - Character string that specifies the line password. Maximum length: 8 characters plain text, 32 encrypted, case sensitive. Default Setting: No password is specified.
PAGE 187
CLI (Command Line Interface) Line Commands (Cont.) Command Function password-thresh Syntax: This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. password-thresh [threshold] no password-thresh • threshold - The number of allowed password attempts. Range: 1-120; 0: no threshold Default Setting: The default value is three attempts.
PAGE 188
CLI (Command Line Interface) Line Commands (Cont.) Command Function parity Syntax: This command defines the generation of a • parity bit. • Use the no form to restore the default setting. parity {none | even | odd} no parity none - No parity even - Even parity • odd - Odd parity Default Setting: No parity Command Mode: Line Configuration Command Usage: Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
PAGE 189
CLI (Command Line Interface) Line Commands (Cont.) Command Function show line Syntax: This command displays the terminal line’s parameters. • console - Console terminal line. show line [console | vty] • vty - Virtual terminal for remote console access (i.e., Telnet).
PAGE 190
CLI (Command Line Interface) General Commands (Cont.) Command Function configure Default Setting: None This command activates Global Configuration mode. Command Mode: Privileged Exec Example: Console#configure Console(config)# You must enter this You must also enter Global Configuration mode prior to enabling some of the other conmode to modify any figuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration.
PAGE 191
CLI (Command Line Interface) General Commands (Cont.) Command Function exit Default Setting: None This command returns to the previous configuration mode or exit the configuration program.
PAGE 192
CLI (Command Line Interface) Device Designation Commands Device Designation Commands Command Function prompt Syntax: This command customizes the CLI prompt. Use the no form to restore the default prompt. prompt string no prompt • string - Any alphanumeric string to use for the CLI prompt. Maximum length: 255 characters.
PAGE 193
CLI (Command Line Interface) Device Designation Commands (Cont.) Command Function username (Cont.) : username access-level password guest 0 guest Command Mode: Global Configuration Command Usage: The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
PAGE 194
CLI (Command Line Interface) IP Filter Commands (Cont.) Command Function management (Cont.) Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively.
PAGE 195
CLI (Command Line Interface) Web Server Commands Web Server Commands Command Function ip http port Syntax: ip http port port-number This command no ip http port specifies the TCP port • port-number - The TCP port to be used by the browser interface. number used by the Range: 1-65535 web browser Default Setting: 80 interface. Command Mode: Global Configuration Use the no form to use the default port.
PAGE 196
CLI (Command Line Interface) Web Server Commands (Cont.) Command Function ip http secure-port Syntax: This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. Use the no form to restore the default port. ip http secure-port port_number no ip http secure-port • port_number – The UDP port used for HTTPS/SSL.
PAGE 197
CLI (Command Line Interface) The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command (see page 199).
PAGE 198
CLI (Command Line Interface) Secure Shell Commands Command Function ip ssh server Syntax: This command enables the Secure Shell (SSH) server on this switch. Default Setting: Disabled [no] ip ssh server Command Mode: Global Configuration Use the no form to disable Command Usage: this service. • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
PAGE 199
CLI (Command Line Interface) Secure Shell Commands (Cont.) Command Function copy tftp public-key Copies the user’s public key from a TFTP server to the switch delete public-key Syntax: delete public-key username [dsa | rsa] This command deletes the • username – Name of an SSH user. specified user’s public Range: 1-8 characters key. • dsa – DSA public key type. • rsa – RSA public key type. Default Setting: Deletes both the DSA and RSA key.
PAGE 200
CLI (Command Line Interface) Secure Shell Commands (Cont.) Command Function show ip ssh Command Mode: Privileged Exec This command displays the connection settings used when authenticating client access to the SSH server. Example: show ssh Command Mode: Privileged Exec This command displays the current SSH server connections. Example: Console#show ip ssh SSH Enabled - version 1.
PAGE 201
CLI (Command Line Interface) Secure Shell Commands (Cont.) Command Function show public-key Syntax: show public-key [user [username]| host] This command shows the public key for the specified • username – Name of an SSH user. (Range: 1-8 characters) user or for the host. Default Setting: Shows all public keys. Command Mode: Privileged Exec Command Usage: If no parameters are entered, all keys are displayed.
PAGE 202
CLI (Command Line Interface) Event Logging Commands (Cont.) Command Function logging history Syntax: This command limits syslog messages saved to switch memory based on severity. • flash - Event history stored in flash memory (i.e., permanent memory). The no form returns the logging of syslog messages to the default level. • level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7).
PAGE 203
CLI (Command Line Interface) Event Logging Commands (Cont.) Command Function logging facility Syntax This command sets the facility type for remote logging of syslog messages. • type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service. Range: 16-23. Use the no form to return the type to the default.
PAGE 204
CLI (Command Line Interface) Event Logging Commands (Cont.) Command Function show logging Syntax show logging {flash | ram | sendmail | trap} This command displays the • flash - Displays settings for storing event messages in flash memory (i.e., configuration settings for permanent memory). logging messages to local switch memory, to an • ram - Displays settings for storing event messages in temporary RAM (i.e., SMTP event handler, or to memory flushed on power reset). a remote syslog server.
PAGE 205
CLI (Command Line Interface) Event Logging Commands (Cont.) Command Function show log Syntax: This command displays the • show log {flash | ram} [login] [tail] system and event mes• flash - Event history stored in flash memory (i.e., permanent memory). sages stored in memory. • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • tail - Shows event history starting from the most recent entry. • login - Shows the login record only.
PAGE 206
CLI (Command Line Interface) SMTP Alert Commands (Cont.) Command Function logging sendmail level Syntax: This command sets the severity threshold used to trigger alert messages. logging sendmail level level • level - One of the system message levels. Messages sent include the selected level down to level 0. Range: 0-7; Default: 7 Default Setting: Level 7 Command Mode: Global Configuration Command Usage: The specified level indicates an event threshold.
PAGE 207
CLI (Command Line Interface) SMTP Alert Commands (Cont.) Command Function show logging sendmail Command Mode: Normal Exec, Privileged Exec This command displays the settings for the SMTP event handler. Example: Console#show logging sendmail SMTP servers ----------------------------------------------1. 192.168.1.200 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------1. geoff@acme.com SMTP source email address: SMTP status: Console# john@acme.
PAGE 208
CLI (Command Line Interface) Time Commands (Cont.) Command Function sntp poll Syntax: This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. show sntp sntp poll seconds no sntp poll • seconds - Interval between time requests.
PAGE 209
CLI (Command Line Interface) Time Commands (Cont.) Command Function show calendar Default Setting: None This command displays the system clock.
PAGE 210
CLI (Command Line Interface) System Status Commands (Cont.) Command show startup-config (Cont.) Function vlan database vlan 1 name DefaultVlan media ethernet state active ! interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 . . . interface vlan 1 ip address dhcp ! line console ! line vty ! end Console# show running-config Default Setting: None This command displays the configuration information currently in use.
PAGE 211
CLI (Command Line Interface) System Status Commands (Cont.) Command Function show running-config vlan database vlan 1 name DefaultVlan media ethernet state active ! ! interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 . . . ! interface vlan 1 ip address DHCP ! ! no map IP precedence no map IP DSCP ! ! line console ! line vty ! end ! Console# (Cont.) show system Default Setting: None This command displays system information.
PAGE 212
CLI (Command Line Interface) System Status Commands (Cont.) Command Function show users Default Setting: None Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Command Mode: Normal Exec, Privileged Exec Command Usage: The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
PAGE 213
CLI (Command Line Interface) Flash/File Commands These commands are used to manage the system code or configuration files. Flash/File Commands Command Function copy Syntax: This command moves (upload/ download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
PAGE 214
CLI (Command Line Interface) Flash/File Commands (Cont.) Command Function copy Example: (Cont.) The following example shows how to copy the running configuration to a startup file: Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# Example: The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
PAGE 215
CLI (Command Line Interface) Flash/File Commands (Cont.) Command Function dir Syntax: This command displays a list of files in flash memory. dir [unit:] {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. • opcode - Run-time operation code image file. • filename - Name of the configuration file or image name. • unit - Stack unit.
PAGE 216
CLI (Command Line Interface) Flash/File Commands (Cont.) Command Function boot system Syntax: This command specifies the image used to start up the system. boot system [unit:] {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom - Boot ROM (required). • config - Configuration file (required). • opcode - Run-time operation code (required). • filename - Name of the configuration file or image name. • unit - Specifies the unit number (required).
PAGE 217
CLI (Command Line Interface) PoE Commands (Cont.) Command Function power inline Syntax: Use this command to turn power on for a specific port or force a port into test mode. Use the no form to turn off power for a port. power inline [auto | test] no power inline • auto - The switch automatically detects if a device is connected to the port and turns power on or off accordingly. • test - Forces the port into a test mode.
PAGE 218
CLI (Command Line Interface) PoE Commands (Cont.) Command Function show power inline status Syntax: Use this command to display the current power status for all ports or for specific ports. show power inline status [interface] interface ethernet • unit - This is device 1. • port - Physical port number on the switch (Range: 1-26).
PAGE 219
CLI (Command Line Interface) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1x. Authentication Commands Command Function authentication login Syntax: This command defines the login authentication method and precedence. Use the no form to restore the default.
PAGE 220
CLI (Command Line Interface) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
PAGE 221
CLI (Command Line Interface) RADIUS Client Commands (Cont.) Command Function radius-server retransmit Syntax: This command sets the number of retries. Use the no form to restore the default. radius-server retransmit number_of_retries no radius-server retransmit • number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
PAGE 222
CLI (Command Line Interface) TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
PAGE 223
CLI (Command Line Interface) Port Security Commands These commands can be used to disable the learning function or manually specify secure addresses for a port. You may want to leave port security off for an initial training period (i.e., enable the learning function) to register all the current VLAN members on the selected port, and then enable port security to ensure that the port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port.
PAGE 224
CLI (Command Line Interface) Port Security Commands (Cont.) Command Function mac-address-table static Syntax: This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id • mac-address - MAC address. • interface: ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
PAGE 225
CLI (Command Line Interface) Port Security Commands (Cont.) Command Function show mac-address-table (Cont.) Note that the Type field may include the following types: • Learned - Dynamic address entries • Permanent - Static entry • Delete-on-reset - Static entry to be deleted when system is reset The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
PAGE 226
CLI (Command Line Interface) 802.1x Port Authentication Commands (Cont.) Command Function dot1x port-control Syntax: This command sets the dot1x mode on a port interface. Use the no form to restore the default. dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
PAGE 227
CLI (Command Line Interface) 802.1x Port Authentication Commands (Cont.) Command Function dot1x timeout quiet-period Syntax: This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. • seconds - The number of seconds. (Range: 1-65535) Use the no form to reset the default. Example: dot1x timeout re-authperiod Syntax: This command sets the time period after which a connected client must be re-authenticated.
PAGE 228
CLI (Command Line Interface) 802.1x Port Authentication Commands (Cont.) Command show dot1x (Cont.) Function tx-period– Time a port waits during authentication session before retransmitting EAP packet (page 4-86). supplicant-timeout– Supplicant timeout. server-timeout– Server timeout. reauth-max– Maximum number of reauthentication attempts. max-req– Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-82).
PAGE 229
CLI (Command Line Interface) 802.1x Port Authentication Commands (Cont.) Command show dot1x (Cont.) Function Operation mode Max count Port-control Supplicant Current Identifier Single-Host 5 Auto 00-00-e8-49-5e-dc 3 Authenticator State Machine State Authenticated Reauth Count 0 Backend State Machine State Idle Request Count 0 Identifier(Server) 2 Reauthentication State Machine State Initialize . . . 802.
PAGE 230
CLI (Command Line Interface) Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. The order in which active ACLs are checked is as follows: 1. User-defined rules in the Egress MAC ACL for egress ports. 2. User-defined rules in the Egress IP ACL for egress ports. 3. User-defined rules in the Ingress MAC ACL for ingress ports. 4. User-defined rules in the Ingress IP ACL for ingress ports. 5.
PAGE 231
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function permit, deny Syntax: (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. [no] {permit | deny} {any | source bitmask | host source} • any – Any source IP address. • source – Source IP address. • bitmask – Decimal number representing the address bits to match.
PAGE 232
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function permit, deny Command Usage: All new rules are appended to the end of the list. (Extended ACL - Cont.) Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.
PAGE 233
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function show ip access-list Syntax: This command displays the rules for configured IP ACLs. • standard – Specifies a standard IP ACL. show ip access-list {standard | extended} [acl_name] • extended – Specifies an extended IP ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode: Privileged Exec Example: Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.
PAGE 234
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function mask Command Usage: Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. (IP ACL - Cont.) First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. If you enter dscp, you cannot enter tos or precedence.
PAGE 235
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function mask Example: (IP ACL - Cont.) This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23 Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list IP extended access-list A3: deny host 171.
PAGE 236
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function show access-list ip maskprecedence Syntax: show access-list ip mask-precedence [in | out] This command shows the ingress • in – Ingress mask precedence for ingress ACLs. or egress rule masks for IP ACLs. • out – Egress mask precedence for egress ACLs. Command Mode: Privileged Exec Example: Console#show access-list ip mask-precedence IP ingress mask ACL: mask host any mask 255.255.255.
PAGE 237
CLI (Command Line Interface) IP ACL Commands (Cont.) Command Function show map access-list ip Syntax: This command shows the CoS value mapped to an IP ACL for the current interface. • interface The CoS value determines the output queue for packets matching an ACL rule. show map access-list ip [interface] ethernet unit/port unit - This is device 1. port - Port number.
PAGE 238
CLI (Command Line Interface) MAC ACL Commands MAC ACL Commands Command Function access-list mac Syntax: This command adds a MAC access list and enters MAC ACL configuration mode. • acl_name – Name of the ACL. (Maximum length: 16 characters) Use the no form to remove the specified ACL.
PAGE 239
CLI (Command Line Interface) MAC ACL Commands (Cont.) Command Function show mac access-list Syntax: This command displays the rules for configured MAC ACLs. • acl_name – Name of the ACL.
PAGE 240
CLI (Command Line Interface) MAC ACL Commands (Cont.) Command Function mask Syntax: (MAC ACL) [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination- This command defines a mask for bitmask} MAC ACLs. This mask defines [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] the fields to check in the packet • pktformat – Check the packet format field. (If this keyword must be used header. in the mask, the packet format must be specified in ACL rule to match.
PAGE 241
CLI (Command Line Interface) MAC ACL Commands (Cont.) Command Function mask (Cont.) Example - This example creates an Egress MAC ACL: Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ffff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.
PAGE 242
CLI (Command Line Interface) MAC ACL Commands (Cont.) Command Function mac access-group Syntax: This command binds a port to a MAC ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters) Use the no form to remove the port. mac access-group acl_name in • in – Indicates that this list applies to ingress packets. Default Setting: None Command Mode: Interface Configuration (Ethernet) Command Usage: A port can only be bound to one ACL.
PAGE 243
CLI (Command Line Interface) MAC ACL Commands (Cont.) Command Function match access-list mac Syntax: This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. match access-list mac acl_name set priority priority no match access-list mac acl_name • acl_name – Name of the ACL. (Maximum length: 16 characters) This feature is commonly referred • priority – Class of Service value in the IEEE 802.1p priority tag.
PAGE 244
CLI (Command Line Interface) SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMPv3 provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
PAGE 245
CLI (Command Line Interface) SNMP Commands (Cont.) Command Function snmp-server community Syntax: This command defines the community access string for the Simple Network Management Protocol. Use the no form to remove the specified community string. snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
PAGE 246
CLI (Command Line Interface) SNMP Commands (Cont.) Command Function snmp-server host Syntax: This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. snmp-server host host-addr community-string [version {1 | 2c}] no snmp-server host host-addr • host-addr - Internet address of the host (the targeted recipient).
PAGE 247
CLI (Command Line Interface) SNMP Commands (Cont.) Command Function snmp-server engine-id Syntax: Use this command to configure an identification string for the SNMP v3 engine. • engineid-string - String identifying the engine ID. (Range: 1-26 hexadecimal characters) Use the no form to restore the default. Default Setting: A unique engine ID is automatically generated by the switch based on its MAC address.
PAGE 248
CLI (Command Line Interface) SNMP Commands (Cont.) Command Function show snmp view Command Mode: Privileged Exec Use this command to show information on the SNMP groups. Example: Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: nonvolatile Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: nonvolatile Row Status: active Console# • View Name: Name of an SNMP view. • Subtree OID: A branch in the MIB tree.
PAGE 249
CLI (Command Line Interface) SNMP Commands (Cont.) Command Function show snmp group Command Mode: Privileged Exec Four default groups are provided – SNMPv1 read-only access and read/ write access, and SNMPv2c read-only access and read/ write access.
PAGE 250
CLI (Command Line Interface) SNMP Commands (Cont.) Command Function snmp-server user Syntax: Use this command to add a user to an SNMP group, restricting the user to a specific SNMP Read and a Write View. Use the no form to remove a user from an SNMP group. snmp-server user username groupname {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username • username - Name of user connecting to the SNMP agent.
PAGE 251
CLI (Command Line Interface) Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Interface Commands Command Function interface Syntax: This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk. interface interface no interface port-channel channel-id • interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
PAGE 252
CLI (Command Line Interface) Interface Commands (Cont.) Command Function negotiation Syntax: This command enables autonegotiation for a given interface. Default Setting: Enabled Use the no form to disable autonegotiation. [no] negotiation Command Mode: Interface Configuration (Ethernet, Port Channel) Command Usage: When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
PAGE 253
CLI (Command Line Interface) Interface Commands (Cont.) Command Function flowcontrol Syntax: This command enables flow control. Default Setting: Flow control enabled Use the no form to disable flow control. [no] flowcontrol Command Mode: Interface Configuration (Ethernet, Port Channel) Command Usage: Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill.
PAGE 254
CLI (Command Line Interface) Interface Commands (Cont.) Command Function clear counters Syntax: This command clears statistics on an interface. • interface clear counters interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-4) Default Setting: None Command Mode: Privileged Exec Command Usage: Statistics are only initialized for a power reset.
PAGE 255
CLI (Command Line Interface) Interface Commands (Cont.) Command Function show interfaces counters Syntax: This command displays interface statistics. • interface show interfaces counters [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-4) Default Setting: Shows the counters for all interfaces.
PAGE 256
CLI (Command Line Interface) Interface Commands (Cont.) Command Function show interfaces switchport Syntax: This command displays the administrative and operational status of the specified interfaces. • interface show interfaces switchport [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-4) Default Setting: Shows all interfaces.
PAGE 257
CLI (Command Line Interface) Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Mirror Port Commands Command Function port monitor Syntax: This command configures a mirror session. Use the no form to clear a mirror session. port monitor interface [rx | tx] no port monitor interface • interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1-8) • port - Port number. (Range: 1-26) • rx - Mirror received packets.
PAGE 258
CLI (Command Line Interface) Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
PAGE 259
CLI (Command Line Interface) Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
PAGE 260
CLI (Command Line Interface) Link Aggregation Commands (Cont.) Command Function Dynamic Configuration Commands lacp Syntax: [no] lacp This command enables 802.3ad Link Aggregation Control Protocol Default Setting: Disabled (LACP) for the current interface. Command Mode: Interface Configuration (Ethernet) Use the no form to disable it. Command Usage: The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
PAGE 261
CLI (Command Line Interface) Link Aggregation Commands (Cont.) Command Function lacp system-priority Syntax: This command configures a port's LACP system priority. Use the no form to restore the default setting. lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link.
PAGE 262
CLI (Command Line Interface) Link Aggregation Commands (Cont.) Command Function lacp admin-key Syntax: (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
PAGE 263
CLI (Command Line Interface) Link Aggregation Commands (Cont.) Command Function Trunk Status Display Command show interfaces status port-channel Shows trunk information show lacp Syntax: This command displays LACP information. show lacp [port-channel] {counters | internal | neighbors | sysid} • port-channel - Local identifier for a link aggregation group. (Range: 1-4) • counters - Statistics for LACP protocol messages. • internal - Configuration settings and operational state for local side.
PAGE 264
CLI (Command Line Interface) Link Aggregation Commands (Cont.) Command Function show lacp (Cont.
PAGE 265
CLI (Command Line Interface) Link Aggregation Commands (Cont.) Command Function show lacp (Cont.
PAGE 266
CLI (Command Line Interface) Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Address Table Commands Command Function mac-address-table static Syntax: This command maps a static address to a destination port in a VLAN. Use the no form to remove an address.
PAGE 267
CLI (Command Line Interface) Address Table Commands (Cont.) Command Function show mac-address-table Syntax: This command shows classes of entries in the bridge-forwarding database. show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
PAGE 268
CLI (Command Line Interface) Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Spanning Tree Commands Command Function spanning-tree Syntax: This command enables the Spanning Tree Algorithm globally for the switch. Default Setting: Spanning tree is enabled. Use the no form to disable it.
PAGE 269
CLI (Command Line Interface) Spanning Tree Commands (Cont.) Command Function spanning-tree forward-time Syntax: This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. spanning-tree forward-time seconds no spanning-tree forward-time • seconds - Time in seconds. (Range: 4-30 seconds). The minimum value is the higher of 4 or [(max-age / 2) + 1].
PAGE 270
CLI (Command Line Interface) Spanning Tree Commands (Cont.) Command Function Syntax: spanning-tree priority priority This command configures the no spanning-tree priority spanning tree priority globally for • priority - Priority of the bridge. this switch. Range – 0-61440, in steps of 4096; Use the no form to restore the Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, default.
PAGE 271
CLI (Command Line Interface) Spanning Tree Commands (Cont.) Command Function spanning-tree cost Syntax: This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. spanning-tree cost cost no spanning-tree cost • cost - The path cost for the port.
PAGE 272
CLI (Command Line Interface) Spanning Tree Commands (Cont.) Command Function spanning-tree edge-port Syntax: This command specifies an interface as an edge port. Default Setting: Disabled Use the no form to restore the default. [no] spanning-tree edge-port Command Mode: Interface Configuration (Ethernet, Port Channel) Command Usage: You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
PAGE 273
CLI (Command Line Interface) Spanning Tree Commands (Cont.) Command Function spanning-tree link-type Syntax: This command configures the link type for Rapid Spanning Tree. Use the no form to restore the default. spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
PAGE 274
CLI (Command Line Interface) Spanning Tree Commands (Cont.) Command Function show spanning-tree Syntax: This command shows the configuration for the spanning tree. • interface show spanning-tree [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
PAGE 275
CLI (Command Line Interface) VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
PAGE 276
CLI (Command Line Interface) Configuring VLAN Interfaces Configuring VLAN Interfaces Command Function interface vlan Syntax: This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. • vlan-id - ID of the configured VLAN.
PAGE 277
CLI (Command Line Interface) Configuring VLAN Interfaces (Cont.) Command Function switchport ingress-filtering Syntax: This command enables ingress filtering for an interface. Default Setting: Disabled [no] switchport ingress-filtering Use the no form to restore the default. Command Mode: Interface Configuration (Ethernet, Port Channel) Command Usage: Ingress filtering only affects tagged frames.
PAGE 278
CLI (Command Line Interface) Configuring VLAN Interfaces (Cont.) Command Function switchport allowed vlan Syntax: This command configures VLAN groups on the selected interface. switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan Use the no form to restore the default. • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove.
PAGE 279
CLI (Command Line Interface) Displaying VLAN Information Displaying VLAN Information Command Function show vlan Syntax: This command shows VLAN information. show vlan [id vlan-id | name vlan-name | private-vlan privatevlan-type] • id - Keyword to be followed by the VLAN ID. • vlan-id - ID of the configured VLAN. (Range: 1-4094, no leading zeroes) • name - Keyword to be followed by the VLAN name. • vlan-name - ASCII string from 1 to 32 characters.
PAGE 280
CLI (Command Line Interface) Edit Private VLAN Groups Edit Private VLAN Groups Command Function private-vlan Syntax: Use this command to create a primary, isolated or community private VLAN. Use the no form to remove the specified private VLAN. private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4094, no leading zeroes). • community - A VLAN in which traffic is restricted to port members.
PAGE 281
CLI (Command Line Interface) Configure Private VLAN Interfaces Configure Private VLAN Interfaces Command Function switchport mode private-vlan Syntax: Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can communicate with all other host ports assigned to the same secondary VLAN.
PAGE 282
CLI (Command Line Interface) Display Private VLAN Information Display Private VLAN Information Command Function show vlan private-vlan Syntax: Use this command to show the private VLAN configuration settings on this switch. show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
PAGE 283
CLI (Command Line Interface) GVRP and Bridge Extension Commands (Cont.) Command Function switchport gvrp Syntax: This command enables GVRP for a port. Default Setting: Disabled Use the no form to disable it. Command Mode: Interface Configuration (Ethernet, Port Channel) [no] switchport gvrp Example: Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# switchport forbidden vlan See page 258.
PAGE 284
CLI (Command Line Interface) GVRP and Bridge Extension Commands (Cont.) Command Function show garp timer Syntax: This command shows the GARP timers for the selected interface. • interface show garp timer [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-4) Default Setting: Shows all GARP timers.
PAGE 285
CLI (Command Line Interface) Priority Commands (Layer 2 - Cont.) Command Function switchport priority default Syntax: switchport priority default default-priority-id no switchport priority default This command sets a priority for incoming untagged frames. • default-priority-id - The priority number for untagged ingress traffic. Use the no form to restore the default value. Default Setting: The priority is not set, and the default value for untagged frames received on the interface is zero.
PAGE 286
CLI (Command Line Interface) Priority Commands (Layer 2 - Cont.) Command Function queue cos-map Syntax: This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3). Use the no form set the CoS map to the default values. queue cos-map queue_id [cos1 ... cosn] no queue cos-map • queue_id - The ID of the priority queue. Ranges are 0 to 3, where 3 is the highest priority queue. • cos1 .. cosn - The CoS values that are mapped to the queue ID.
PAGE 287
CLI (Command Line Interface) Priority Commands (Layer 2 - Cont.) Command Function show interfaces switchport See page 236. Priority Commands (Layer 3 and 4) Maps TCP ports, IP precedence tags, or IP DSCP tags to class of service values Priority Commands (Layer 3 and 4) Command Function map ip port (Global Configuration) Syntax: This command enables IP port mapping (i.e., class of service mapping for TCP/ UDP sockets).
PAGE 288
CLI (Command Line Interface) Priority Commands ((Layer 3 and 4)- Cont.) Command Function map ip precedence (Interface Configuration) Syntax: This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. map ip precedence ip-precedence-value cos cos-value no map ip precedence • precedence-value - 3-bit precedence value.
PAGE 289
CLI (Command Line Interface) Priority Commands ((Layer 3 and 4)- Cont.) Command Function map ip dscp (Interface Configuration) Syntax: This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. map ip dscp dscp-value cos cos-value no map ip dscp • dscp-value - 8-bit DSCP value. (Range: 0-63) • cos-value - Class-of-Service value (Range: 0-7) Default Setting: The DSCP default values are defined in the following table.
PAGE 290
CLI (Command Line Interface) Priority Commands ((Layer 3 and 4)- Cont.) Command Function show map ip precedence Syntax: This command shows the IP precedence priority map. • interface show map ip precedence [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
PAGE 291
CLI (Command Line Interface) Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
PAGE 292
CLI (Command Line Interface) IGMP Snooping Commands (Cont.) Command Function show ip igmp snooping Default Setting: None This command shows the IGMP snooping configuration. Command Mode: Privileged Exec Command Usage: See “Configuring IGMP Snooping and Query Parameters” on page 3-137 for a description of the displayed items.
PAGE 293
CLI (Command Line Interface) IGMP Query Commands (Layer 2 - Cont.) Command Function ip igmp snooping query-count Syntax: This command configures the query count. Use the no form to restore the default. ip igmp snooping query-count count no ip igmp snooping query-count • count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
PAGE 294
CLI (Command Line Interface) IGMP Query Commands (Layer 2 - Cont.) Command Function ip igmp snooping router-portexpire-time Syntax: This command configures the query timeout. Use the no form to restore the default. ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time • seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
PAGE 295
CLI (Command Line Interface) IP Interface Commands There are no IP addresses assigned to this switch by default. You must manually configure a new address to manage the switch over your network. You may also need to a establish a default gateway between this device and the management stations.
PAGE 296
CLI (Command Line Interface) IP Interface Commands (Cont.) Command Function ip default-gateway Syntax: This command establishes a static route between this switch and devices that exist on another network segment. ip default-gateway gateway no ip default-gateway • gateway - IP address of the default gateway Default Setting: No static route is established.
PAGE 297
CLI (Command Line Interface) IP Interface Commands (Cont.) Command Function ping Syntax: This command sends ICMP echo request packets to another node on the network. ping host [size size] [count count] • host - IP address or IP alias of the host. • size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. • count - Number of packets to send.
PAGE 298
CLI (Command Line Interface) DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation.
PAGE 299
CLI (Command Line Interface) DNS Commands (Cont.) Command Function ip domain-list Syntax: This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. [no] ip domain-list name • name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
PAGE 300
CLI (Command Line Interface) DNS Commands (Cont.) Command Function ip domain-lookup Syntax: This command enables DNS host name-toaddress translation. Default Setting: Disabled Use the no form to disable DNS. Command Usage: At least one name server must be specified before you can enable DNS. If all name servers are deleted, DNS will automatically be disabled.
PAGE 301
CLI (Command Line Interface) DNS Commands (Cont.) Command Function show dns cache Command Mode: Privileged Exec Example: This command displays entries in the DNS cache. Console#show dns cache NO FLAG 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 Console# TYPE CNAME CNAME CNAME CNAME CNAME CNAME CNAME CNAME ALIAS IP 10.2.44.96 10.2.44.3 66.218.71.84 66.218.71.83 66.218.71.81 66.218.71.80 66.218.71.89 66.218.71.86 POINTER TO:7 TTL 893 898 298 298 298 298 298 298 298 DOMAIN pttch_pc.accton.com.tw ahten.accton.
PAGE 302
CLI (Command Line Interface) 282 NXA-ENET24 - Software Management Guide
PAGE 303
Troubleshooting Troubleshooting Troubleshooting Chart Symptom Action Cannot connect using Telnet, Web browser, or SNMP software • Be sure you have configured the agent with a valid IP address, subnet mask and default gateway. • If you are trying to connect to the agent via the IP address for a tagged VLAN group, your management station must include the appropriate tag in its transmitted frames.
PAGE 304
AMX. All rights reserved. AMX and the AMX logo are registered trademarks of AMX. AMX reserves the right to alter specifications without notice at any time. ©2010 3/10 It’s Your World - Take Control™ 3000 RESEARCH DRIVE, RICHARDSON, TX 75082 USA • 800.222.0193 • 469.624.8000 • 469-624-7153 fax • 800.932.6993 technical support • www.amx.