Powered by Accton ES3528M ES3552M Fast Ethernet Switch Management Guide www.edge-core.
Management Guide Fast Ethernet Switch Layer 2 Workgroup Switch with 24/48 10/100BASE-T (RJ-45) Ports, and 4 Combination Gigabit (RJ-45/SFP) Ports
ES3528M ES3552M E092006-MT-R02 149100010700H
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-5 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Saving Con
Contents Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging Displaying Log Messages System Log Configuration Remote Log Configuration Simple Mail Transfer Protocol Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Setting Community Access Strings Specifying Trap Managers and Trap Types Enabling SNMP Agent Status Configuring SNMPv3 Mana
Contents Filtering IP Addresses for Management Access Port Configuration Displaying Connection Status Configuring Interface Connections Creating Trunk Groups Statically Configuring a Trunk Enabling LACP on Selected Ports Configuring LACP Parameters Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Rate Limit Configuration Showing Por
Contents Configuring Protocol VLAN Interfaces Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces Mapping CoS Values to Egress Queues Enabling CoS Selecting the Queue Mode Setting the Service Weight for Traffic Classes Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Enabling IP DSCP Priority Mapping DSCP Priority Quality of Service Configuring Quality of Service Parameters Configuring a Class Map Creating QoS Policies Attaching a Policy Ma
Contents Cluster Candidate Information 3-179 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups Line Commands line login password timeo
Contents System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet port ip telnet server Secure Shell Commands ip ssh server ip ssh timeout ip ssh authentication-retries ip ssh server-key size delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-ke
Contents show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame Flash/File Commands copy delete dir whichboot boot system Authentication Commands Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius
Contents dot1x port-control dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period show dot1x Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list ip access-group show ip access-group MAC ACLs access-list mac permit, deny (MAC ACL) show mac access-list mac access-group show mac access-group ACL Information show access-list show access-group SNM
Contents negotiation capabilities flowcontrol shutdown switchport broadcast packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-a
Contents spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acc
Contents queue mode switchport priority default queue bandwidth queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) show map ip dscp Quality of Service Commands class-map match policy-map class set police service-policy show class-map show policy-map show policy-map interface Example Multicast Filtering Commands IGMP Snooping Commands ip igmp snooping ip igmp snooping vlan static ip i
Contents IP Interface Commands ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping IP Source Guard Commands ip source-guard ip source-guard binding show ip source-guard show ip source-guard binding DHCP Snooping Commands ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust ip dhcp snooping verify mac-address ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding Sw
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-4 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Table 4-21 Table 4-22 Table 4-23 Table 4-24 Table 4-25 Table 4-26 Table 4-27 Key Features System Defaults Configuration Options Main Menu L
Tables Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-71 Table 4-72 xvi Authe
Tables Table 4-73 Table 4-74 Table 4-75 Table 4-76 Table 4-77 Table B-1 show mvr members - display description IP Interface Commands IP Source Guard Commands DHCP Snooping Commands Switch Cluster Commands Troubleshooting Chart 4-214 4-215 4-219 4-223 4-230 B-1 xvii
Tables xviii
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Home Pag
Figures Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84
Figures Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 Figure 3-116 Configuring Queue Scheduling IP DSCP Priority Status Mapping IP DSCP Priority Values Configuring Class Maps Configuring Policy Maps Servic
Figures xxii
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and private VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Description of Software Features 1 Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity. Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP).
1 Introduction Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
System Defaults 1 System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-19). The following table lists some of the basic system defaults.
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Protection Status Enabled (all ports) Broadcast Limit Rate 64 kbits per second Spanning Tree Algorithm Status Enabled, RSTP (Defaults: All values based on IEEE 802.
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged Levels 0-6 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled (all ports) Switch Clustering Status Enabled Commander Disabled 1-7
1 1-8 Introduction
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
2 • • • • Initial Configuration Configure up to 8 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.
Basic Configuration 2 The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Managing System Files 2 Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: • Configuration — This file stores system configuration information and is created when configuration settings are saved.
2 2-10 Initial Configuration
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Panel Display 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system. Help Links directly to webhelp. Notes: 1.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-37 Users Configures SNMP v3 users on this switch 3-37 Remote Users Configures SNMP v3 users from a remote device 3-38 Groups Configures SNMP v3 groups 3-39 Views Configures SNMP v3 views Security 3-42 3-44 User Accounts Assigns a new password for the current user 3-44 Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-46 H
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Counters Information Displays statistics for LACP protocol messages 3-85 Port Internal Information Displays settings and operational state for the local side 3-87 Port Neighbors Information Displays settings and operational state for the remote side 3-89 Port Broadcast Control Sets the broadcast storm threshold for each port 3-90 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-90
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Basic Information Displays information on the VLAN type supported by this switch 3-123 Current Table Shows the current port members of each VLAN and whether or not the port is tagged or untagged 3-123 Static List Used to create or remove VLAN groups 3-125 Static Table Modifies the settings for an existing VLAN 3-126 Static Membership by Port Configures membership type for interfaces, including tagged, untagged or forbidden 3
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description QoS Page 3-146 DiffServ 3-146 Class Map Sets Class Maps 3-147 Policy Map Sets Policy Maps 3-150 Service Policy Defines service policy settings for ports IGMP Snooping 3-153 3-154 IGMP Configuration Enables multicast filtering; configures parameters for multicast query 3-155 IGMP Immediate Leave Enables the immediate leave function 3-156 Multicast Router Port Information Displays the ports that are attached to
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Enables IP source guard and selects filter type per port 3-173 Static Configuration Adds a static addresses to the source-guard binding table 3-174 Dynamic Information Displays the source-guard binding table for a selected interface Cluster 3-175 3-176 Configuration Globally enables clustering for the switch 3-177 Member Configuration Adds switch Members to the cluster 3-178 Member Information Displays
3 Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location. Contact – Administrator responsible for the system. System Up Time – Length of time the management agent has been up.
Basic Configuration 3 CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-25 Console(config)#snmp-server location WC 9 4-101 Console(config)#snmp-server contact Ted 4-101 Console(config)#exit Console#show system 4-61 System description : ES3528M System OID string : 1.3.6.1.4.1.259.6.10.94 System information System Up time : 0 days, 0 hours, 14 minutes, and 32.
3 Configuring the Switch Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version Unit 1 Serial number: Hardware version: EPLD Version: Number of ports: Main power status: Redundant power status: 4.04 28 Up Not present Agent (master) Unit ID: Loader version: Boot ROM version: Operation code version: 1 0.0.0.5 0.0.0.8 0.0.1.
Basic Configuration 3 Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
3 Configuring the Switch CLI – Enter the following command. Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: Extended multicast filtering services: Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Global GVRP status: GMRP: Console# 4-162 256 4094 No Yes SVL Yes No Enabled Disabled Disabled Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network.
3 Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.1 255.255.255.
3 Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Basic Configuration Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart Console# 4-217 Enabling Jumbo Frames You can enable jumbo frames to support data packets up to 9000 bytes in size.
3 Configuring the Switch • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch.
Basic Configuration 3 To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names.
3 Configuring the Switch - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config – Copies a file from a TFTP server to the startup config. • TFTP Server IP Address – The IP address of a TFTP server. • File Type – Specify config (configuration) to copy configuration settings.
Basic Configuration 3 Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.
3 • • • • • Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded. (Range: 0-65535; Default: 0) Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port.
3 Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
3 Configuring the Switch • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Password2 – Specifies a password for the line connection.
3 Basic Configuration CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
3 Configuring the Switch CLI – This example shows the event message stored in RAM. Console#show log ram [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:00:25 2001-01-01 "System coldStart notification." level: 6, module: 5, function: 1, and event no.: 1 Console# 4-47 System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
3 Basic Configuration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-17 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
3 Configuring the Switch • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-18 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
Basic Configuration 3 • Severity – Specifies the degree of urgency that the message carries. • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start. (Level 5) • Warning – Sends notification of a warning condition such as return false, or unexpected return.
3 Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging Console(config)#logging Console(config)#logging bill@this-company.com Console(config)#logging ted@this-company.com Console(config)#logging Console# sendmail host 192.168.1.
Basic Configuration 3 Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 4-56) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
3 Configuring the Switch CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.
Simple Network Management Protocol 3 Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
3 Configuring the Switch Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-23 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw Console(config)# 4-100 Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers.
Simple Network Management Protocol 3 Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply. Figure 3-24 Configuring IP Trap Managers CLI – This example adds a trap manager and enables both authentication and link-up, link-down traps. Console(config)#snmp-server host 192.168.1.
3 Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
3 Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent.
3 Configuring the Switch • Privacy – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Actions – Enables the user to be assigned to another SNMPv3 group. Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
3 Simple Network Management Protocol To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Command Attributes • User Name – The name of user connecting to the SNMP agent.
3 Configuring the Switch Command Attributes • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the group: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.) - AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).
3 Simple Network Management Protocol Table 3-4 Supported Notification Messages (Continued) Object Label Object ID Description linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state). This other state is indicated by the included value of ifOperStatus. authenticationFailure 1.3.6.1.6.3.1.1.
3 Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete. Figure 3-30 Configuring SNMPv3 Groups Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
Simple Network Management Protocol 3 • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
3 Configuring the Switch User Authentication You can restrict management access to this switch using the following options: • • • • • • • User Accounts – Manually configure access rights on the switch for specified users. Authentication Settings – Use remote authentication to configure access rights. HTTPS Settings – Provide a secure web connection. SSH Settings – Provide a secure shell (for secure Telnet access). Port Security – Configure secure addresses for individual ports. 802.1X – Use IEEE 802.
User Authentication 3 Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-32 Access Levels CLI – Assign a user name to access-level 15 (i.e.
3 Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
User Authentication 3 Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.
3 Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings CLI – Specify all the required parameters to enable logon authentication.
User Authentication Console#configure Console(config)#authentication login tacacs Console(config)#tacacs-server host 10.20.30.40 Console(config)#tacacs-server port 200 Console(config)#tacacs-server key green Console#show tacacs-server Server IP address: 10.20.30.
3 Configuring the Switch Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-34 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number.
User Authentication 3 Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
3 3. Configuring the Switch Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-64) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-44.) The clients are subsequently authenticated using these keys.
User Authentication 3 Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
3 Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-36 Console(config)#ip ssh timeout 100 4-37 Console(config)#ip ssh authentication-retries 5 4-37 Console(config)#ip ssh server-key size 512 4-38 Console(config)#end Console#show ip ssh 4-40 SSH Enabled - version 2.
3 User Authentication Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-36 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
3 Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
3 User Authentication Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
3 Configuring the Switch This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. 3. Client sends back identity information. RADIUS user identity and access 4. Switch forwards this to authentication server. server 5. Authentication server challenges client. rights.
User Authentication 3 Figure 3-38 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 4-85 802.1X Port Summary Port Name Status 1/1 disabled 1/2 disabled . . . 802.1X Port Details Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a 802.1X is disabled on port 1/1 . . . 802.1X is disabled on port 1/52 Console# Configuring 802.
3 Configuring the Switch Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section. Command Attributes • Port – Port number. • Status – Indicates if authentication is enabled or disabled on the port.
User Authentication 3 Figure 3-40 802.
3 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-85.
3 User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-6 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
3 Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-41 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4.
3 Access Control Lists soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny rules, the packet is accepted. Command Usage The following restrictions apply to ACLs: • Each ACL can have up to 100 rules. • However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.
3 Configuring the Switch Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-42 Selecting ACL Type CLI – This example creates a standard IP ACL named david.
Access Control Lists 3 Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 3-43 Configuring Standard IP ACLs CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.
3 Configuring the Switch • Source/Destination Port Bitmask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code.
Access Control Lists 3 Figure 3-44 Configuring Extended IP ACLs CLI – This example adds two rules: (1) Accept any incoming packets if the source address is in subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. (2) Allow TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 10.7.1.
3 Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
Access Control Lists 3 Figure 3-45 Configuring MAC ACLs Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage • Each ACL can have up to 100 rules. • This switch supports ACLs for ingress filtering only. However, you only bind one IP ACL to any port for ingress filtering.
3 Configuring the Switch Figure 3-46 Configuring ACL Port Binding CLI – This example assigns an IP access list to port 1, and an IP access list to port 3.
3 Access Control Lists • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Command Attributes • • • • • • • Web IP Filter – Configures IP address(es) for the web group. SNMP IP Filter – Configures IP address(es) for the SNMP group. Telnet IP Filter – Configures IP address(es) for the Telnet group.
3 Configuring the Switch CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 4-28 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 10.1.2.3 10.1.2.
Port Configuration 3 Web – Click Port, Port Information or Trunk Information. Figure 3-48 Displaying Port/Trunk Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-14.) Configuration: • • • • • • • • Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e.
3 Configuring the Switch • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address that can be learned by a port. (0 - 1024 addresses) • Port security action – Shows the response to take when a security violation is detected. (shutdown, trap, trap-and-shutdown, or none) Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state.
3 Port Configuration • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) • Flow Control – Allows automatic or manual selection of flow control. • Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.
3 Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
Port Configuration 3 Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to four trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
3 Configuring the Switch Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration 3 CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-52) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Port Configuration 3 CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
3 Configuring the Switch - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-65535; Default: 1) • Port Priority – If a link goes down, LACP port priority is used to select a backup link.
Port Configuration 3 CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-114 Console(config-if)#lacp actor system-priority 3 4-131 Console(config-if)#lacp actor admin-key 120 4-132 Console(config-if)#lacp actor port-priority 128 4-134 Console(config-if)#exit . . .
3 Configuring the Switch Table 3-7 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
Port Configuration 3 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-8 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Interval Number of seconds before invalidating received LACPDU information.
3 Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-54 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Port Configuration 3 Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-9 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
3 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
3 Port Configuration Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-56 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
3 Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
3 Port Configuration Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
3 Configuring the Switch Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
3 Port Configuration Table 3-10 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. Transmit Errors The number of outbound packets that could not be transmitted because of errors.
3 Configuring the Switch Table 3-10 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Port Configuration 3 Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
3 Configuring the Switch CLI – This example shows statistics for port 13.
Address Table Settings 3 Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-60 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
3 Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-61 Configuring a Dynamic Address Table CLI – This example also displays the address table entries for port 1.
Spanning Tree Algorithm Configuration 3 Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-62 Setting the Address Aging Time CLI – This example sets the aging time to 300 seconds.
3 Configuring the Switch the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
3 Spanning Tree Algorithm Configuration Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) • Hello Time – Interval (in seconds) at which the root device transmits a configuration message.
3 Configuring the Switch • Root Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
Spanning Tree Algorithm Configuration 3 Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol7 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
3 Configuring the Switch address will then become the root device. (Note that lower numeric values indicate higher priority.) - Default: 32768 - Range: 0-61440, in steps of 4096 - Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. - Default: 2 - Minimum: 1 - Maximum: The lower of 10 or [(Max.
Spanning Tree Algorithm Configuration 3 Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name – The name for this MSTI. (Maximum length: 32 characters) • Maximum Hop Count – The maximum number of hops allowed in the MST region before a BPDU is discarded.
3 Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters.
Spanning Tree Algorithm Configuration 3 by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-111. • Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3-111 (i.e., true or false), but will be set to false if a BPDU is received, indicating that another bridge is attached to this port.
3 • • • • Configuring the Switch Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. Fast forwarding – This field provides the same information as Admin Edge port, and is only included for backward compatibility with earlier products.
Spanning Tree Algorithm Configuration 3 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding Path cost: 10000 Priority: 128 Designated cost: 0 Designated port : 128.5 Designated root: 32768.0012CF0B0D00 Designated bridge: 32768.
3 Configuring the Switch Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
3 Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-66 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7.
3 Configuring the Switch Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440; Default: 32768) • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure.
3 Spanning Tree Algorithm Configuration CLI – This example sets STA attributes for port 1, , followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values.
3 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree.
3 Configuring the Switch - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding – Port forwards packets, and continues learning addresses. • Trunk – Indicates if a port is a member of a trunk.
3 VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-69 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if) VLAN Configuration IEEE 802.
3 Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.
VLAN Configuration 3 VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration.
3 Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged VLANs, but are only allowed one untagged VLAN. Each port on the switch is capable of passing tagged or untagged frames.
3 VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number8 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information.
3 Configuring the Switch • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-72 Displaying Current VLANs Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes).
3 VLAN Configuration CLI – Current VLAN information can be displayed with the following command.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-73 Configuring a VLAN Static List CLI – This example creates a new VLAN.
VLAN Configuration 3 2. VLAN 1 is the default untagged VLAN containing all ports on the switch, and can only be modified by first reassigning the default port VLAN ID as described under “Configuring VLAN Behavior for Interfaces” on page 3-130. Command Attributes • VLAN – ID of configured VLAN (1-4094). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-74 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2.
3 VLAN Configuration Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk).
3 Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
VLAN Configuration 3 Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-76 Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, and then sets the switchport mode to hybrid.
3 Configuring the Switch To configure primary/secondary associated groups, follow these steps: 1. Use the Private VLAN Configuration menu (page 3-133) to designate one or more community VLANs, and the primary VLAN that will channel traffic outside of the VLAN groups. 2. Use the Private VLAN Association menu (page 3-134) to map the secondary (i.e., community) VLAN(s) to the primary VLAN. 3. Use the Private VLAN Port Configuration menu (page 3-136) to set the port type to promiscuous (i.e.
3 VLAN Configuration Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-77 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
3 Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted. Figure 3-78 Private VLAN Configuration CLI – This example configures VLAN 5 as a primary VLAN, and VLAN 6 as a community VLAN.
3 VLAN Configuration CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database Console(config-vlan)#private-vlan 5 association 6 Console(config-vlan)#private-vlan 5 association 7 Console(config)# 4-165 4-176 4-176 Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs. Command Attributes • Port/Trunk – The switch interface.
3 Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
3 VLAN Configuration Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply. Figure 3-81 Private VLAN Port Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6.
3 Configuring the Switch • Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. • Protocol Type – The only option for the LLC Other frame type is IPX Raw. The options for all other frames types include IP, ARP, or RARP. Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-82 Protocol VLAN Configuration Configuring Protocol VLAN Interfaces Use the Protocol VLAN Port Configuration menu to set the protocol VLAN settings per port.
Class of Service Configuration 3 Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
3 Configuring the Switch Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-84 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3.
Class of Service Configuration 3 The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
3 Configuring the Switch CLI – The following example shows how to change the CoS assignments.
3 Class of Service Configuration Web – Click Priority, Queue Mode. Select Strict or WRR, then click Apply. Figure 3-87 Queue Mode CLI – The following sets the queue mode to strict priority service mode. Console(config)#queue mode wrr Console(config)#exit Console#show queue mode Queue mode: wrr Console# 4-184 4-187 Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue.
3 Configuring the Switch CLI – The following example shows how to display the WRR weights assigned to each of the priority queues. Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console 4-188 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports one method of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame using the number of the TCP port.
Class of Service Configuration 3 Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
3 Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)#end Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled 4-189 4-114 4-189 4-190 Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
Quality of Service 3 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-152). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the “Class Map” to designate a class name for a specific category of traffic. 2.
3 Configuring the Switch • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map.
Quality of Service 3 Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-91 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
3 Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-147. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
Quality of Service 3 • Add – Adds the specified policy. • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-147). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
3 Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
Quality of Service 3 CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
3 Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Multicast Filtering 3 Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
3 Configuring the Switch Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-94 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
3 Multicast Filtering Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Enable or disable IGMP immediate leave for the selected VLAN. Web – Click IGMP Snooping, IGMP Immediate Leave. Figure 3-95 IGMP Immediate Leave CLI – This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status.
3 Configuring the Switch Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-96 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
3 Multicast Filtering Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-97 Static Multicast Router Port Configuration CLI – This example configures port 11 as a multicast router port within VLAN 1.
3 Configuring the Switch Figure 3-98 IP Multicast Registration Table CLI – This example displays all the known multicast services supported on VLAN 1, along with the ports propagating the corresponding services. The Type field shows if this entry was learned dynamically or was statically configured. Console#show bridge 1 multicast vlan 1 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.1.12 Eth1/12 USER 1 224.1.2.
Multicast VLAN Registration 3 Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
3 Configuring the Switch Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 3-162). 2.
Multicast VLAN Registration • • • • 3 receiver ports that have registered to receive data from that multicast group. (Default: Disabled) MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied. MVR VLAN – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR. (Range: 1-4094; Default: 1) MVR Group IP – IP address for an MVR multicast group. The IP address range of 224.0.0.0 to 239.255.255.
3 Configuring the Switch • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. • Immediate Leave – Shows if immediate leave is enabled or disabled. • Trunk Member12 – Shows if port is a trunk member.
3 Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-102 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr MVR Group IP ---------------225.0.0.1 225.0.0.2 225.0.0.3 225.0.0.4 225.0.0.5 225.0.0.6 225.0.0.7 225.0.0.8 225.0.0.9 225.0.0.
3 Configuring the Switch • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
3 Multicast VLAN Registration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
3 Configuring the Switch CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 Console(config-if)#mvr group 228.1.23.1 Console(config-if)# 4-211 DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
DHCP Snooping 3 If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
3 Configuring the Switch Web – Click DHCP Snooping, VLAN Configuration. Figure 3-106 DHCP Snooping VLAN Configuration CLI – This example first enables DHCP Snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# 4-225 DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
DHCP Snooping 3 Web – Click DHCP Snooping, Information Option Configuration. Figure 3-107 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace. Console(config)#ip dhcp snooping information option Console(config)#ip dhcp snooping information policy replace Console(config)# 4-227 4-228 DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted.
3 Configuring the Switch CLI – This example shows how to enable the DHCP Snooping Trust Status for ports. Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust Console(config-if)# 4-226 DHCP Snooping Binding Information Displays the DHCP snooping binding information. Command Attributes • • • • • • • • No. – Entry number for DHCP snooping binding information. Unit – Stack unit. Port – Port number.
3 IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-168). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
3 Configuring the Switch CLI – This example shows how to enable IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)#end Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . . 4-219 4-222 Static IP Source Guard Binding Configuration Adds a static addresses to the source-guard binding table.
IP Source Guard 3 Web – Click IP Source Guard, Static Configuration. Figure 3-111 Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config)# 4-221 Dynamic IP Source Guard Binding Information Displays the source-guard binding table for a selected interface.
3 Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-112 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5. Console#show ip source-guard binding 4-222 MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.
3 Switch Clustering Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. Note: Cluster Member switches can be managed through only using a Telnet connection to the Commander. From the Commander CLI prompt, use the “rcommand” command (see page 4-233) to connect to the Member switch.
3 Configuring the Switch CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster Console(config)#cluster commander Console(config)#cluster ip-pool 10.2.3.4 Console(config)# 4-231 4-231 4-232 Cluster Member Configuration Adds Candidate switches to the cluster as Members. Command Attributes • Member ID – Specify a Member ID number for the selected Candidate switch.
3 Switch Clustering • IP Address – The internal cluster IP address assigned to the Member switch. • MAC Address – The MAC address of the Member switch. • Description – The system description string of the Member switch. Web – Click Cluster, Member Information. Figure 3-115 Cluster Member Information CLI – This example shows information about cluster Member switches. Vty-0#sh cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.
3 Configuring the Switch Web – Click Cluster, Candidate Information. Figure 3-116 Cluster Candidate Information CLI – This example shows information about cluster Candidate switches.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.
4 Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands 4 Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
4 Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
4 Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
4 Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
Command Groups 4 Command Groups The system commands can be broken down into the functional groups shown below.
4 Command Line Interface CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Line Commands 4 Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
4 Command Line Interface - no login selects no authentication. When using this method, the management interface starts in Normal Exec (NE) mode. • This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers.
4 Line Commands Related Commands login (4-11) password-thresh (4-14) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
4 Command Line Interface Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default setting.
Line Commands 4 Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands silent-time (4-15) timeout login response (4-13) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
4 Command Line Interface Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (4-16) parity This command defines the generation of a parity bit.
4 Line Commands speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 9600 Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
4 Command Line Interface disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
General Commands 4 Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands Table 4-6 General Commands Command Function Mode Page enable Activates privileged mode NE disable Returns to norm
4 Command Line Interface Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-27.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
General Commands 4 configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration. See “Understanding Command Modes” on page 4-5.
4 Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# reload This command restarts the system.
General Commands 4 exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program.
4 Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
System Management Commands 4 Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section.
4 Command Line Interface username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive.
System Management Commands 4 enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] • level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
4 Command Line Interface IP Filter Commands Table 4-11 IP Filter Commands Command Function management Configures IP addresses that are allowed management access GC Mode Page 4-28 show management Displays the switch to be monitored or configured from a browser 4-29 PE management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting.
System Management Commands 4 Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
4 Command Line Interface Web Server Commands Table 4-12 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC Page 4-30 ip http server Allows the switch to be monitored or configured from a browser GC 4-30 ip http secure-server Enables HTTPS for encrypted communications GC 4-31 ip http secure-port Specifies the UDP port number for HTTPS GC 4-32 ip http port This command specifies the TCP port number used by the web browser in
System Management Commands 4 Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-30) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
4 Command Line Interface Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-32) copy tftp https-certificate (4-64) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
System Management Commands 4 Telnet Server Commands Table 4-14 Telnet Server Commands Command Function Mode ip telnet port Specifies the port to be used by the Telnet interface GC Page 4-30 ip telnet server Allows the switch to be monitored or configured from Telnet GC 4-30 ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
4 Command Line Interface Related Commands ip telnet port (4-33) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
System Management Commands 4 The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-70.
4 Command Line Interface corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: a. b. c. The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client. The client uses its private key to decrypt the bytes, and sends the decrypted bytes back to the switch.
System Management Commands 4 ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
4 Command Line Interface Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-40) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
System Management Commands 4 Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
4 Command Line Interface Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
4 System Management Commands Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
4 Command Line Interface show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
System Management Commands 4 Event Logging Commands Table 4-17 Event Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 4-43 logging history Limits syslog messages saved to switch memory based on severity GC 4-44 logging host Adds a syslog server host IP address that will receive logging messages GC 4-45 logging facility Sets the facility type for remote logging of syslog messages GC 4-45 logging trap Limits syslog messages saved to a remote se
4 Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
4 System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the level arguments listed below. Messages sent include the selected level up through level 0. (Refer to the table on page 4-44.
System Management Commands 4 Related Commands show logging (4-47) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
4 Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
System Management Commands 4 Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [3] 00:00:54 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [2] 00:00:50 2001-01-01 "STA topology change notification.
4 Command Line Interface Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
4 System Management Commands logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages.
4 Command Line Interface logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------1. 192.168.1.
System Management Commands 4 Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
4 Command Line Interface Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.19 Console# Related Commands sntp server (4-54) sntp poll (4-55) show sntp (4-55) sntp server This command sets the IP address of the servers to which SNTP time requests are issued.
4 System Management Commands sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
4 Command Line Interface clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • • • • • name - Name of timezone, usually an acronym. (Range: 1-29 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
System Management Commands 4 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock.
4 Command Line Interface Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
System Management Commands 4 Related Commands show running-config (4-59) show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
4 Command Line Interface Example Console#show running-config building startup-config, please wait..... ! phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
4 System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-10. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: ES3528M System OID String: 1.3.6.1.4.1.259.6.10.
4 Command Line Interface Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.
4 System Management Commands Example Console#show version Unit1 Serial number: Service tag: Hardware version: Module A type: Module B type: Number of ports: Main power status: Redundant power status S416000937 R01 1000BaseT 1000BaseT 52 up :not present Agent (master) Unit ID: Loader version: Boot ROM version: Operation code version: 1 2.2.1.4 2.2.1.8 2.2.7.
4 Command Line Interface • Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packets per second. (See the switchport broadcast command on page 4-120.) • The current setting for jumbo frames can be displayed with the show system command (page 4-61). Example Console(config)#jumbo frame Console(config)# Flash/File Commands These commands are used to manage the system code or configuration files.
Flash/File Commands 4 • https-certificate - Copies an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-34) • unit - Keyword that allows you to copy to/from a unit. Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command.
4 Command Line Interface Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming.
Flash/File Commands 4 This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success. Console# delete This command deletes a file or image.
4 Command Line Interface dir This command displays a list of files in flash memory. Syntax dir [unit:] {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • • • • • boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of the configuration file or code image. unit - Stack unit.
Flash/File Commands 4 whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Stack unit. (Always unit 1) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot file name ------------------------------------Unit1: D2218 V2271 Factory_Default_Config.
4 Command Line Interface Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-68) whichboot (4-69) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
4 Authentication Commands Command Mode Global Configuration Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
4 Command Line Interface Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
4 Authentication Commands radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] • index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Authentication Commands 4 radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Command Line Interface TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
4 Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Authentication Commands 4 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
4 Command Line Interface Table 4-32 802.
Authentication Commands 4 dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
4 Command Line Interface dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
Authentication Commands 4 Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication.
4 Command Line Interface dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Authentication Commands 4 show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-52) Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.
4 Command Line Interface • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled – Periodic re-authentication (page 4-83). - reauth-period – Time after which a connected client must be re-authenticated (page 4-84). - quiet-period – Time a port waits after Max Request Count is exceeded before attempting to acquire a new client (page 4-83).
Authentication Commands 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/52 Status disabled enabled Operation Mode Single-Host Single-Host Mode ForceAuthorized auto Authorized n/a yes disabled Single-Host ForceAuthorized n/a 802.1X Port Details 802.1X is disabled on port 1/1 802.
4 Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port. Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria.
Access Control List Commands 4 IP ACLs Table 4-34 IP ACLs Command Function Mode access-list ip Creates an IP ACL and enters configuration mode GC Page permit, deny Filters packets matching a specified source IP address STD-ACL 4-90 permit, deny Filters packets meeting the specified criteria, including EXT-ACL source and destination IP address, TCP/UDP port number, and protocol type 4-90 4-89 show ip access-list Displays the rules for configured IP ACLs PE 4-92 ip access-group Adds a po
4 Command Line Interface Related Commands permit, deny 4-90 ip access-group (4-92) show ip access-list (4-92) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match.
Access Control List Commands 4 Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] • • • • • • • • protocol-number – A specific protocol number.
4 Command Line Interface This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-89) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL.
Access Control List Commands 4 Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
4 Command Line Interface access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
4 Access Control List Commands [no] {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] [no] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [no] {permit | deny} untagged-802.
4 Command Line Interface Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (4-94) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL.
4 Access Control List Commands Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (4-96) show mac access-group This command shows the ports assigned to MAC ACLs.
4 Command Line Interface Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.16.0 255.255.240.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 IP access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: permit any any Console# show access-group This command shows the port assignments of ACLs.
SNMP Commands 4 Table 4-37 SNMP Commands (Continued) Command Function Mode Page snmp-server contact Sets the system contact string GC 4-101 snmp-server location Sets the system location string GC 4-101 snmp-server host Specifies the recipient of an SNMP notification operation GC 4-102 snmp-server enable traps Enables the device to send SNMP traps (i.e.
4 Command Line Interface Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2.
SNMP Commands 4 to both retrieve and modify MIB objects. Default Setting • public - Read-only access. Authorized management stations are only able to retrieve MIB objects. • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string.
4 Command Line Interface Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-101) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
SNMP Commands 4 Default Setting • Host Address: None • Notification Type: Traps • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
4 Command Line Interface • The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name.
SNMP Commands 4 • The authentication, link-up, and link-down traps are legacy notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-108). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-102) snmp-server engine-id This command configures an identification string for the SNMPv3 engine.
4 Command Line Interface • Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 22 zeroes. • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-111).
SNMP Commands 4 snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) • oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
4 Command Line Interface show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 4-39 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
SNMP Commands 4 Default Setting • • • • Default groups: public16 (read only), private17 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
4 Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
SNMP Commands 4 Table 4-40 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View.
4 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-105) to specify the engine ID for the remote device where the user resides.
SNMP Commands 4 show snmp user This command shows information on SNMP users.
4 Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
4 Interface Commands Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
4 Interface Commands • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-117) speed-duplex (4-115) capabilities This command advertises the port capabilities of a given interface during autonegotiation.
4 Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-116) speed-duplex (4-115) flowcontrol (4-118) flowcontrol This command enables flow control. Use the no form to disable flow control.
4 Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-116) capabilities (flowcontrol, symmetric) (4-117) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
4 Command Line Interface switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast octet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., kilobits per second.
4 Interface Commands Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
4 Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 64 Kbits/second Flow control: Disabled Lacp: Disabled Port security: Disabled Max MAC count: 0 Port security action: None Current status: Link status: Up Port operation status: Up Operation sp
4 Interface Commands Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1 Ether-like stats: Alignment errors: 0, FCS errors: 0 Single Collision frames: 0, Multiple collision frames: 0
4 Command Line Interface Example This example shows the configuration setting for port 24.
Mirror Port Commands 4 Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-44 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-125 show port monitor Shows the configuration for a mirror port PE 4-126 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
4 Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Always unit 1) • port - Port number. (Range: 1-52) Default Setting Shows all sessions.
4 Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
4 Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
4 Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
4 Command Line Interface Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Link Aggregation Commands 4 Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established.
4 Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Link Aggregation Commands 4 • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
4 Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
4 Link Aggregation Commands Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
4 Command Line Interface Table 4-48 show lacp internal - display description Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
Link Aggregation Commands Table 4-49 Field 4 show lacp neighbors - display description Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner. Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner.
4 Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
4 Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
4 Command Line Interface • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
Address Table Commands 4 Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec.
4 Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
4 Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
4 Command Line Interface - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
4 Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
4 Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Spanning Tree Commands 4 Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
4 Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
4 Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
4 Command Line Interface Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands 4 revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 4-150) and revision number are used to designate a unique MST region. A bridge (i.e.
4 Command Line Interface specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface.
4 Spanning Tree Commands • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 • 10 Gigabit Ethernet – full duplex: 1000; trunk: 500 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices.
4 Command Line Interface Related Commands spanning-tree cost (4-152) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Spanning Tree Commands 4 Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
4 Command Line Interface • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
Spanning Tree Commands 4 Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (4-157) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
4 Command Line Interface spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
Spanning Tree Commands 4 Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
4 Command Line Interface --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000 Designated bridge: 32768.0.
VLAN Commands 4 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
4 Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
VLAN Commands 4 switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit.
4 Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
VLAN Commands 4 Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting Shows all GARP timers.
4 Command Line Interface Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
4 VLAN Commands Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
4 Command Line Interface Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-119) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
VLAN Commands 4 switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
VLAN Commands 4 switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged. Setting a VLAN untagged will also change the native VLAN of the port to this VLAN.
4 Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
4 VLAN Commands Displaying VLAN Information Table 4-57 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-173 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-121 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-123 show vlan This command shows VLAN information.
4 Command Line Interface Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs.
4 VLAN Commands 3. Use the switchport mode private-vlan command to configure ports as promiscuous (i.e., having access to all ports in the primary VLAN) or host (i.e., community port). 4. Use the switchport private-vlan host-association command to assign a port to a secondary VLAN. 5. Use the switchport private-vlan mapping command to assign a port to a primary VLAN. 6. Use the show vlan private-vlan command to verify your configuration settings. To configure isolated VLANs, follow these steps: 1.
4 Command Line Interface an associated “primary” VLAN that contains promiscuous ports. When using an isolated VLAN, it must be configured to contain a single promiscuous port. • Port membership for private VLANs is static. Once a port has been assigned to a private VLAN, it cannot be dynamically moved to another VLAN via GVRP. • Private VLAN ports cannot be set to trunked mode. (See “switchport mode” on page 4-168.
4 VLAN Commands switchport mode private-vlan Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. Syntax switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can subsequently be assigned to a community or isolated VLAN. • promiscuous – This port type can communicate with all other promiscuous ports in the same primary VLAN, as well as with all the ports in the associated secondary VLANs.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage All ports assigned to a secondary (i.e., community) VLAN can pass traffic between group members, but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN.
4 VLAN Commands switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes).
4 Command Line Interface Example Console#show vlan private-vlan Primary Secondary Type -------- ----------- ---------5 primary 5 6 community 0 8 isolated Console# Interfaces -----------------------------Eth1/ 3 Eth1/ 4 Eth1/ 5 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
4 VLAN Commands no protocol-vlan protocol-group group-id • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame1 - Frame type used by this protocol. (Options: ethernet, rfc_1042, llc_other) • protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: ip, ipv6, arp, rarp, and user-defined (0801-FFFF hexadecimal). Default Setting No protocol groups are configured.
4 Command Line Interface • When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: - If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
4 Priority Commands - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting The mapping for all interfaces is displayed.
4 Command Line Interface Table 4-61 Priority Commands (Layer 2) Command Function show queue cos-map Shows the class-of-service map show interfaces switchport Displays the administrative and operational status of an interface Mode Page PE 4-188 PE 4-123 queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value.
4 Priority Commands Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority. Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero.
4 Command Line Interface Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0-3 determines the weights used by the WRR scheduler. (Range: 1-31) Default Setting Weights 1, 2, 4, 8 are assigned to queues 0-3 respectively. Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights.
4 Priority Commands Default Setting This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
4 Command Line Interface show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
Priority Commands 4 Priority Commands (Layer 3 and 4) Table 4-63 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping GC 4-189 map ip dscp Maps IP DSCP value to a class of service IC 4-189 show map ip dscp Shows the IP DSCP map PE 4-190 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping.
4 Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-64 IP DSCP to CoS Vales IP DSCP Value CoS Value 0 0 8 1 10, 12, 14, 16 2 18, 20, 22, 24 3 26, 28, 30, 32, 34, 36 4 38, 40, 42 5 48 6 46, 56 7 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority.
Quality of Service Commands 4 Default Setting None Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
4 Command Line Interface Table 4-65 Quality of Service Commands Command Function Mode Page show policy-map Displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations PE 4-199 show policy-map interface Displays the configuration of all classes configured for all service policies on the specified interface PE 4-199 To create a service policy for a specific category of ingress traffic, follow these steps: 1. 2. 3. 4.
Quality of Service Commands 4 Command Usage • First enter this command to designate a class map and enter the Class Map configuration mode. Then use the match command (page 4-193) to specify the criteria for ingress traffic that will be classified under this class map. • Up to 16 match commands are permitted per class map.
4 Command Line Interface This example creates a class map called “rd_class#1,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class#1_ match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd_class#2,” and sets it to match packets marked for IP Precedence service value 5: Console(config)#class-map rd_class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a cl
Quality of Service Commands 4 Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
4 Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Quality of Service Commands 4 police This command defines an policer for classified traffic. Use the no form to remove a policer. Syntax [no] police rate-kbps burst-byte [exceed-action {drop | set}] • rate-kbps - Rate in kilobits per second. (Range: 1-100000 kbps or maximum port speed, whichever is lower) • burst-byte - Burst in bytes. (Range: 64-1522 bytes) • drop - Drop packet when specified rate or burst are exceeded. • set - Set DSCP service to the specified value.
4 Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name • input - Apply to the input traffic. • policy-map-name - Name of the policy map for this interface. (Range: 1-16 characters) Default Setting No policy map is attached to an interface.
Quality of Service Commands 4 Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map.
4 Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
4 Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
4 Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
Multicast Filtering Commands 4 • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)# ip igmp snooping immediate-leave This command enables IGMP immediate leave for specific VLAN. Use the no form to disable the feature for a VLAN.
4 Command Line Interface Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled Leave proxy status: Disabled Query count: 10 Query interval: 100 sec Query max response time: 20 sec Router port expire time: 300 sec Immediate Leave Processing: Disabled on all VLAN IGMP snooping version: Version 2 Console# show mac-address-table multicast This command shows known multicast addresses.
Multicast Filtering Commands 4 IGMP Query Commands (Layer 2) Table 4-68 IGMP Query Commands (Layer 2) Command Function ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC Mode 4-205 Page ip igmp snooping query-count Configures the query count GC 4-205 ip igmp snooping query-interval Configures the query interval GC 4-206 ip igmp snooping query-max-response-time Configures the report delay GC 4-207 ip igmp snooping router-port-expire-time Configures
4 Command Line Interface Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-maxresponse-time.
4 Multicast Filtering Commands ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-25) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect.
4 Command Line Interface Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect.
Multicast Filtering Commands 4 Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
4 Command Line Interface Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
Multicast Filtering Commands 4 Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
4 Command Line Interface Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN. IGMP snooping can be used to allow a receiver port to dynamically join or leave multicast groups within the MVR VLAN.
4 Multicast Filtering Commands show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword. Syntax show mvr [interface [interface] | members [ip-address]] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status ------- -------------------eth1/1 SOURCE ACTIVE/UP eth1/2 RECEIVER ACTIVE/UP eth1/5 RECEIVER INACTIVE/DOWN eth1/6 RECEIVER INACTIVE/DOWN eth1/7 RECEIVER INACTIVE/DOWN Console# Table 4-72 Immediate Leave --------------Disable Disable Disable Disable Disable show mvr interface - display description Field Description Port Shows interfaces attached to th
IP Interface Commands 4 IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
4 Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch.
IP Interface Commands 4 ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
4 Command Line Interface show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-216) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • host - IP address or IP alias of the host. • size - Number of bytes in a packet.
IP Source Guard Commands 4 Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.
4 Command Line Interface • sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table. Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
4 IP Source Guard Commands yet configured, the switch will drop all IP traffic on that port, except for DHCP packets. Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-221) ip dhcp snooping (4-223) ip dhcp snooping vlan (4-225) ip source-guard binding This command adds a static address to the source-guard binding table.
4 Command Line Interface - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding. - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
4 DHCP Snooping Commands Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
4 Command Line Interface Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
DHCP Snooping Commands 4 • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (ip dhcp snooping trust, page 4-226). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
4 Command Line Interface Example This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# Related Commands ip dhcp snooping (4-223) ip dhcp snooping trust (4-226) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
DHCP Snooping Commands 4 ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
4 Command Line Interface • When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. • DHCP snooping must be enabled on the switch for the DHCP Option 82 information to be inserted into packets. Example This example enables the DHCP Snooping Information Option.
4 DHCP Snooping Commands ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
4 Command Line Interface show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.
4 Switch Cluster Commands cluster This command enables clustering on the switch. Use the no form to disable clustering. Syntax [no] cluster Default Setting Enabled Command Mode Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
4 Command Line Interface to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.
Switch Cluster Commands 4 member-id - The ID number to assign to the Member switch. (Range: 1-36) Default Setting No Members Command Mode Global Configuration Command Usage • The maximum number of cluster Members is 36. • The maximum number of switch Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration.
4 Command Line Interface show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role: Interval heartbeat: Heartbeat loss count: Number of Members: Number of Candidates: Console# commander 30 3 1 2 show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.
A Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or
Management Information Bases A RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.
A A-4 Software Specifications
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index Numerics 802.
Index H hardware version, displaying 3-11, 4-62 HTTPS 3-49, 4-31 HTTPS, secure server 3-49, 4-31 logon authentication 3-44, 4-70 RADIUS client 4-72 RADIUS server 4-72 TACACS+ client 3-46, 4-76 TACACS+ server 3-46, 4-76 logon authentication, sequence 3-47, 4-70, 4-71 I IEEE 802.1D 3-101, 4-143 IEEE 802.1s 4-143 IEEE 802.1w 3-101, 4-143 IEEE 802.
Index port, statistics 3-94, 4-122 ports autonegotiation 3-77, 4-116 broadcast storm threshold 3-90, 4-120 capabilities 3-77, 4-117 duplex mode 3-77, 4-115 flow control 3-77, 4-118 speed 3-77, 4-115 ports, configuring 3-74, 4-114 ports, mirroring 3-92, 4-125 primary VLAN 3-132 priority, default port ingress 3-139, 4-184 private VLANs, configuring 3-132, 4-174 problems, troubleshooting B-1 promiscuous ports 3-131, 4-174 protocol migration 3-112, 4-158 PVLAN association 3-134 community ports 3-131, 4-174 inte
Index 3-129, 4-171 creating 3-125, 4-166 description 3-119, 3-139 displaying basic information 3-123, 4-162 displaying port members 3-123, 4-173 egress mode 3-130, 4-168 interface configuration 3-130, 4-169–4-172 private 3-131, 3-137, 4-174 protocol 4-180 time, setting 3-31, 4-53 traffic class weights 3-143, 4-185 trap manager 2-7, 3-34, 4-102 troubleshooting B-1 trunk configuration 3-79, 4-128 LACP 3-81, 4-130 static 3-80, 4-129 U upgrading software 3-18 user password 3-44, 4-26, 4-27 V VLANs 3-119–3-13
ES3528M ES3552M E092006-MT-R02 149100010700H
