Powered by Accton ES3528M-PoE Fast Ethernet Switch Management Guide www.edge-core.
Management Guide Fast Ethernet Switch Layer 2 Workgroup Switch with Power over Ethernet, 26 10/100BASE-T (RJ-45) Ports, and 2 Combination Gigabit (RJ-45/SFP) Ports
ES3528M-PoE E112008/ST-R01 F1.1.0.
About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
vi
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Managing System Files Saving
Contents Managing Firmware Downloading System Software from a Server Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging System Log Configuration Remote Log Configuration Displaying Log Messages Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Setting the Time Manually Configuring SNTP Configuring NTP Setting the Time Zone Simple Network Management Protocol Enabli
Contents Configuring HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Generating the Host Key Pair Importing User Public Keys Configuring the SSH Server Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Contents Configuring Parameters for LACP Group Members Configuring Parameters for LACP Groups Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Rate Limit Configuration Showing Port Statistics Power Over Ethernet Settings Switch Power Status Setting a Switch Power Budget Displaying Port Power Status Configuring Port PoE Power Address
Contents Configuring Private VLANs Associating VLANs Displaying Private VLAN Interface Information Configuring Private VLAN Interfaces Protocol VLANs Configuring Protocol VLAN Groups Configuring the Protocol VLAN System Link Layer Discovery Protocol Setting LLDP Timing Attributes Configuring LLDP Interface Attributes Displaying LLDP Local Device Information Displaying LLDP Remote Port Information Displaying LLDP Remote Information Details Displaying Device Statistics Displaying Detailed Device Statistics Cl
Contents Configuring IGMP Filtering and Throttling for Interfaces Multicast VLAN Registration Configuring Global MVR Settings Displaying MVR Interface Status Displaying Port Members of Multicast Groups Configuring MVR Interface Status Assigning Static Multicast Groups to Interfaces Switch Clustering Configuring General Settings for Clusters Configuring Cluster Members Displaying Information on Cluster Members Displaying Information on Cluster Candidates UPnP UPnP Configuration Chapter 4: Command Line Interf
Contents quit System Management Commands Device Designation Commands hostname Banner Information Commands banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status Commands show startup-config show running-config show system show users show version sh
Contents show line Event Logging Commands logging on logging history logging host logging facility logging trap clear log show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp ntp client ntp server ntp poll ntp authenticate ntp authentication-key show ntp clock timezone-predefined clock timezone clock summer-time (d
Contents UPnP Commands upnp device upnp device ttl upnp device advertise duration show upnp Debug Commands debug spanning-tree SNMP Commands snmp-server show snmp snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user Authentication Commands User Account Commands username enable password Authentication Sequence authentic
Contents AAA Commands aaa group server server aaa accounting dot1x aaa accounting exec aaa accounting commands aaa accounting update accounting dot1x accounting exec accounting commands aaa authorization exec authorization exec show accounting Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet server Secure Shell Commands ip ssh server ip ssh timeout ip ssh authentication-retries ip ssh server-key size delete public-key ip ssh crypto ho
Contents Management IP Filter Commands management show management General Security Measures Port Security Commands port security Network Access (MAC Address Authentication) network-access aging network-access mode network-access max-mac-count network-access dynamic-vlan network-access guest-vlan mac-authentication reauth-time mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table Web Authentication web-auth login-at
Contents Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list ip access-group show ip access-group MAC ACLs access-list mac permit, deny (MAC ACL) show mac access-list mac access-group show mac access-group ACL Information show access-list show access-group Interface Commands interface description speed-duplex negotiation capabilities flowcontrol media-type giga-phy-mode shutdown switchport packet-rate clear counters show interfaces
Contents power inline priority show power inline status show power mainpower Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time Spanning Tree Commands spanning-tree spanning-tree mode spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree system-bpdu-floodin
Contents VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring IEEE 802.
Contents Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan rule switchport voice vlan security switchport voice vlan priority show voice vlan LLDP Commands lldp lldp holdtime-multiplier lldp med-fast-start-count lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp notification lldp mednotification lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-ca
Contents switchport priority default queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) show map ip dscp Quality of Service Commands class-map match policy-map class set police service-policy show class-map show policy-map show policy-map interface Multicast Filtering Commands IGMP Snooping Commands ip igmp snooping ip igmp snooping vlan static ip igmp snooping version ip igmp snoopi
Contents ip igmp max-groups action show ip igmp filter show ip igmp profile show ip igmp throttle interface Multicast VLAN Registration Commands mvr (Global Configuration) mvr (Interface Configuration) show mvr IP Interface Commands ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using S
Contents xxiv
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 3-15 Table 3-16 Table 3-17 Table 3-18 Table 3-19 Table 3-20 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Key Features System Defaults Configuration Options Main Menu Logging Lev
Tables Table 4-21 Table 4-22 Table 4-23 Table 4-24 Table 4-25 Table 4-26 Table 4-28 Table 4-29 Table 4-27 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-65 Table 4-65 Table 4-66 xxvi Swit
Tables Table 4-66 Table 4-66 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-71 Table 4-72 Table 4-73 Table 4-74 Table 4-75 Table 4-76 Table 4-77 Table 4-78 Table 4-79 Table 4-80 Table 4-81 Table 4-82 Table 4-83 Table 4-84 Table 4-85 Table 4-86 Table 4-87 Table 4-88 Table 4-89 Table 4-90 Table 4-91 Table 4-92 Table 4-93 Table 4-94 Table 4-95 Table B-1 Link Type IEEE 802.1D-1998 IEEE 802.
Tables xxviii
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Home Page Panel Disp
Figures Figure 3-42 Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83
Figures Figure 3-87 Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 Figure 3-116 Figure 3-117 Figure 3-118 Figure 3-119 Figure 3-120 Figure 3-121 Figure 3-122 Figure 3-123 Figure 3-124 Figure 3-125 Figure 3-1
Figures Figure 3-132 Figure 3-133 Figure 3-134 Figure 3-135 Figure 3-136 Figure 3-137 Figure 3-138 Figure 3-139 Figure 3-140 Figure 3-141 Figure 3-142 Figure 3-143 Figure 3-144 Figure 3-145 Figure 3-146 Figure 3-147 Figure 3-148 Figure 3-149 Figure 3-150 Figure 3-151 Figure 3-152 Figure 3-153 Figure 3-154 Figure 3-155 Figure 3-156 Figure 3-157 Figure 3-158 Figure 3-159 Figure 3-160 Figure 3-161 xxxii Queue Mode Configuring Queue Scheduling IP DSCP Priority Status Mapping IP DSCP Priority Values Configurin
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. The Fast Ethernet ports on this switch also supports the IEEE 802.
1 Introduction Table 1-1 Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 255 using IEEE 802.
Description of Software Features 1 Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access. Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, or TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type).
1 Introduction Store-and-Forward Switching – This switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, this switch provides 1 Mbits for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
Description of Software Features 1 Note: This switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093) is reserved for switch clustering. Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict priority or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application.
1 Introduction Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings. Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details.
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Port Number 443 SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled SNMP Port Configuration Auto-negotiation Enabled F
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority Disabled IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options This switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
2 • • • • Initial Configuration Configure up to 8 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
Basic Configuration 2 Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 3. Type “end” to return to the Privileged Exec mode. Press . 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface IP Address and Netmask: 192.168.1.
Basic Configuration 2 The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Managing System Files 2 Due to the size limit of the flash memory, the switch supports only one operation code file. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. Transferring a new operation code file to the switch will overwrite the existing file. In the system flash memory, one file of each type must be set as the start-up file.
2 Initial Configuration Configuring Power over Ethernet This switch supports the IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the wire pairs in the connecting Ethernet cable. Any 802.3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Panel Display 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system. Help Links directly to webhelp. Notes: 1.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description SNMPv3 Engine ID Page 3-46 Sets the SNMP v3 engine ID on this switch 3-46 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-47 Users Configures SNMP v3 users on this switch 3-48 Remote Users Configures SNMP v3 users from a remote device 3-50 Groups Configures SNMP v3 groups 3-52 Views Configures SNMP v3 views 3-55 Security 3-57 User Accounts Assigns a new password for the current user Authentication Setti
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Port Security Description Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 802.1X Page 3-98 3-89 Information Displays global configuration settings for 802.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Port Neighbors Information Displays settings and operational state for the remote side Page 3-144 Port Broadcast Control Sets the broadcast storm threshold for each port 3-146 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-146 Mirror Port Configuration Sets the source and target ports for mirroring 3-148 Input Port Configuration Sets the input rate limit for each port 3-149 Input Trunk Configuration
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description MSTP VLAN Configuration 3-178 Configures priority and VLANs for a spanning tree instance 3-178 Port Information Displays port settings for a specified MST instance 3-181 Trunk Information Displays trunk settings for a specified MST instance 3-181 Port Configuration Configures port settings for a specified MST instance 3-183 Trunk Configuration Configures trunk settings for a specified MST instance 3-183 VLAN 3-184
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Sets the private VLAN interface type, and associates the interfaces with a private VLAN 3-210 Trunk Information Shows VLAN port type, and associated primary or secondary VLANs 3-209 Trunk Configuration Sets the private VLAN interface type, and associates the interfaces with a private VLAN 3-210 Protocol VLAN 3-211 Configuration Configures protocol VLANs 3-212 System Configuration Configures protocol VLAN
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description QoS Page 3-237 DiffServ 3-237 Class Map Sets Class Maps 3-238 Policy Map Sets Policy Maps 3-240 Service Policy Defines service policy settings for ports 3-243 VoIP Traffic Setting 3-244 Configuration VoIP Traffic Setting Configuration 3-244 Port Configuration Configures VoIP Traffic Settings for ports 3-245 OUI Configuration Defines OUI settings 3-247 IGMP Snooping IGMP Configuration 3-250 Enables multicas
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Trunk Configuration Description Configures MVR interface type and immediate leave status Group Member Configuration Statically assigns MVR multicast streams to an interface DHCP Snooping Page 3-268 3-270 3-115 Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address Verification VLAN Configuration Enables DHCP Snooping for a VLAN 3-117 Information Option Configuration Enables DHCP Snooping Information Option 3-118 Port Configuration Se
3 Configuring the Switch Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem.
Basic Configuration 3 Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI – Specify the hostname, location and contact information.
3 Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • • • • Serial Number – The serial number of the switch. Number of Ports – Number of built-in RJ-45 ports. Hardware Version – Hardware version of the main board. Internal Power Status – Displays the status of the internal power supply.
Basic Configuration 3 CLI – Use the following command to display version information. Console#show version Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: 4-32 A622016012 R01 0.02 28 Up Not present Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.0.1 1.0.0.9 1.1.0.
3 Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Basic Configuration 3 CLI – Enter the following command. Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: Extended multicast filtering services: Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Global GVRP status: GMRP: Console# 4-242 256 4094 No Yes IVL Yes No Enabled Disabled Disabled Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network.
3 Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.54 255.255.255.
Basic Configuration 3 Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Configuring the Switch Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI – Enter the following command to restart DHCP service.
Basic Configuration 3 Managing Firmware You can upload/download firmware to or from a TFTP server. Just specify the method of file transfer, along with the file type and file names as required. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. Only one copy of the system software (i.e., the runtime firmware) can be stored in the file directory.
3 Configuring the Switch Downloading System Software from a Server When downloading runtime code, the new operation code file will overwrite the existing file. Versions of the code prior to 1.1.0.10 require the operation code file being transferred to have the same destination file name as the existing code file for the transfer to succeed. Web –Click System, File Management, Copy Operation.
Basic Configuration 3 CLI – To download new firmware from a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, and then restart the switch for the new code to take effect. To start the new firmware, enter the “reload” command or reboot the system. Console#copy tftp file TFTP server ip address: 192.168.1.23 Choose file type: 1. config: 2. opcode: 4. diag: 5.
3 Configuring the Switch Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File Management, Copy Operation.
Basic Configuration 3 CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
3 Configuring the Switch • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 baud) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password1 – Specifies a password for the line connection.
Basic Configuration 3 CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
3 Configuring the Switch • Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) • Login2 – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts.
Basic Configuration 3 Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
3 Configuring the Switch Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-15 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
Basic Configuration 3 Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-16 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
3 Configuring the Switch Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 3-17 Displaying Logs CLI – This example shows the event messages stored in RAM. Console#show log ram [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification.
Basic Configuration 3 configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7) • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. • SMTP Server – Specifies a new SMTP server address to add to the SMTP Server List.
3 Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email big-wheels@matel.com Console(config)#logging sendmail destination-email chris@matel.
Basic Configuration 3 Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset. Figure 3-19 Resetting the System CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch.
3 Configuring the Switch Setting the Time Manually You can set the system time on the switch manually without using SNTP. CLI – This example sets the system clock time and then displays the current time and date . Console#calendar set 17 46 00 october 18 2008 Console#show calendar 17:46:11 October 18 2008 Console# 4-72 4-72 Configuring SNTP You can configure the switch to send time synchronization requests to time servers.
Basic Configuration 3 CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.
3 Configuring the Switch Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply. Figure 3-21 NTP Client Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.
Basic Configuration 3 Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
3 Configuring the Switch Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Simple Network Management Protocol 3 Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defaultview none none Community string only v2c noAu
3 Configuring the Switch Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes • SNMP Community Capability – The switch supports up to five community strings.
Simple Network Management Protocol 3 Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
3 • • • • Configuring the Switch top of the SNMP Configuration page (for Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) Trap UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
3 Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
3 Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
Simple Network Management Protocol 3 Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent.
3 Configuring the Switch Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned.
Simple Network Management Protocol 3 Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
3 Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Simple Network Management Protocol 3 Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. Figure 3-29 Configuring Remote SNMPv3 Users CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
3 Configuring the Switch Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3.
Simple Network Management Protocol 3 Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description linkDown* 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus. linkUp* 1.3.6.1.6.3.1.1.5.
3 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description pethMainPower UsageOnNotification 1.3.6.1.4.1.259.8.1.8.1.103.173.2.1.0.45 This notification indicates PSE Threshold usage indication is on; the power usage is above the threshold. pethMainPower UsageOffNotification 1.3.6.1.4.1.259.8.1.8.1.103.173.2.1.0.46 This notification indicates that the PSE Threshold usage indication is off; the usage power is below the threshold.
Simple Network Management Protocol 3 CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview Console(config)#exit Console#show snmp group . . .
3 Configuring the Switch Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings. To delete a view, check the box next to the view name, then click Delete.
User Authentication 3 CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 4-89 4-90 View Name: readaccess Subtree OID: 1.3.6.1.
3 Configuring the Switch Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place. The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.
User Authentication 3 Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-32 Access Levels CLI – Assign a user name to access-level 15 (i.e.
3 Configuring the Switch multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
User Authentication 3 - Accounting Port Number – UDP port on authentication server used for accounting messages. (Range: 1-65535; Default: 1813) - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request.
3 Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.
User Authentication 3 CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server auth-port 181 Console(config)#radius-server acct-port 183 Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
3 Configuring the Switch Console#configure Console(config)#authentication login tacacs Console(config)#tacacs-server 1 host 10.20.30.
User Authentication 3 - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. Web – Click Security, Encryption Key.
3 Configuring the Switch AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. • Authorization — Determines if users can access specific services. • Accounting — Provides reports, auditing, and billing for services that users have accessed on the network.
User Authentication 3 Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) • Server Index - Specifies the RADIUS server and sequence to use for the group.
3 Configuring the Switch Configuring AAA TACACS+ Group Settings The AAA TACACS+ Group Settings screen defines the configured TACACS+ servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the TACACS+ server group. (1-255 characters) • Server - Specifies the TACACS+ server to use for the group. (Range: 1) When specifying the index for a TACACS+ server, the server index must already be defined (see “Configuring Local/Remote Logon Authentication” on page 3-59).
User Authentication 3 3-59). Any other group name refers to a server group configured on the RADIUS or TACACS+ Group Settings pages. Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-37 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters.
3 Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web – Click Security, AAA, Accounting, Periodic Update. Enter the required update interval and click Apply.
User Authentication 3 AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-67). (Range: 1-255 characters) Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply.
3 Configuring the Switch AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level. Web – Click Security, AAA, Accounting, Command Privileges. Enter a defined method name for console and Telnet privilege levels. Click Apply.
3 User Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply. Figure 3-41 AAA Accounting Exec Settings CLI – Specify the accounting method to use for Console and Telnet interfaces.
3 Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users.
User Authentication 3 Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type Username Interface Time elapsed : exec : admin : vty 0 since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services. Command Attributes • Method Name – Specifies an authorization method for service requests.
3 Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
User Authentication 3 Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied. Command Attributes • Accounting Type - Displays the accounting service. • Method List - Displays the user-defined or default authorization method. • Group List - Displays the authorization server group. • Interface - Displays the console or Telnet interface to which the authorization method applies.
3 Configuring the Switch Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
User Authentication 3 Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number.
3 Configuring the Switch • Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate. Figure 3-47 HTTPS Settings CLI – This example copies the certificate file from the designated TFTP server.
User Authentication 3 Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. 2. The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
3 Configuring the Switch 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed.
User Authentication 3 Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage). Field Attributes • Public-Key of Host-Key – The public key for the host. - RSA (Version 1): The first field indicates the size of the host key (e.g.
3 Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
User Authentication 3 Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication. Field Attributes • Public-Key of user – The RSA and DSA public keys for the selected user. - RSA: The first field indicates the size of the host key (e.g.
3 Configuring the Switch Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key.
User Authentication 3 CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Note that public key authentication through SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2. DSA: <1-2>: 2 Source file name: admin-ssh2-dsa-pub.key Username: admin TFTP Download Success. Write to FLASH Programming. Success.
3 Configuring the Switch • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default:768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits.
User Authentication 3 Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
3 Configuring the Switch • Each switch port that will be used must be set to dot1X “Auto” mode. • Each client that needs to be authenticated must have dot1X client software installed and properly configured. • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS.
User Authentication 3 Configuring 802.1X Global Settings The 802.1X protocol provides port-based client authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-52 802.1X Global Configuration CLI – This example enables 802.
3 Configuring the Switch • Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
User Authentication 3 CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-137.
3 Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
User Authentication 3 Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-54 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4.
3 Configuring the Switch • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
General Security Measures 3 CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 4-140 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 10.1.2.3 10.1.2.
3 Configuring the Switch • IP Source Guard – Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding table. (See “IP Source Guard” on page 3-122.) Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
General Security Measures 3 • Security Status – Enables or disables port security on the port. (Default: Disabled) • Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) • Trunk – Trunk number if port is a member (page 3-134 and 3-135). Web – Click Security, Port Security.
3 Configuring the Switch Configuring Web Authentication Web authentication is configured on a per-port basis, however there are four configurable parameters that apply globally to all ports on the switch. Command Attributes • System Authentication Control – Enables Web Authentication for the switch. (Default: Disabled) • Session Timeout – Configures how long an authenticated session stays active before it must be re-authenticated.
3 General Security Measures Configuring Web Authentication for Ports Web authentication is configured on a per-port basis. The following parameters are associated with each port. Command Attributes • Port – Indicates the port being configured • Status – Configures the web authentication status for the port. • Authenticated Host Counts – Indicates how many authenticated hosts are connected to the port. Web – Click Security, Web Authentication, Port Configuration.
3 Configuring the Switch Displaying Web Authentication Port Information This switch can display web authentication information for all ports and connected hosts. Command Attributes • Interface – Indicates the ethernet port to query. • IP Address – Indicates the IP address of each connected host. • Status – Indicates the authorization status of each connected host. • Remaining Session Time (seconds) – Indicates the remaining time until the current authorization session for the host expires.
General Security Measures 3 Web – Click Security, Web Authentication, Re-authentication. Figure 3-60 Web Authentication Port Re-authentication CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 Console# 4-155 Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
3 Configuring the Switch • Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. • When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list to be applied to the switch port.
General Security Measures 3 CLI – This example sets and displays the reauthentication time.
3 Configuring the Switch Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-62 Network Access Port Configuration CLI – This example configures MAC authentication for port 1.
General Security Measures 3 Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table. • Query By – Specifies parameters to use in the MAC address query. - Port – Specifies a port interface.
3 Configuring the Switch CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
General Security Measures 3 - Extended – IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number. If the “TCP” protocol is specified, then you can also filter packets based on the TCP control code. - MAC – MAC ACL mode that filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060). Web – Select Security, ACL, Configuration.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 3-65 Configuring Standard IP ACLs CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.
General Security Measures 3 • Source/Destination Port Bitmask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
General Security Measures 3 Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
3 General Security Measures Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage • Each ACL can have up to 32 rules. • This switch supports ACLs for ingress filtering only. Command Attributes • • • • Port – Fixed port or SFP module. (Range: 1-28) IP – Specifies the IP ACL to bind to a port.
3 Configuring the Switch Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on a non-secure interface from outside the network or firewall. When DHCP snooping is enabled globally and enabled on a VLAN interface, DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. • Table entries are only learned for trusted interfaces.
3 General Security Measures configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
3 Configuring the Switch • When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. Web – Click DHCP Snooping, VLAN Configuration. Figure 3-70 DHCP Snooping VLAN Configuration CLI – This example first enables DHCP Snooping for VLAN 1.
General Security Measures 3 • In some cases, the switch may receive DHCP packets from a client that already includes DHCP Option 82 information. The switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information. Command Attributes • DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay.
3 Configuring the Switch Configuring Ports for DHCP Snooping Use the DHCP Snooping Port Configuration page to configure switch ports as trusted or untrusted. Command Usage • A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
General Security Measures 3 CLI – This example shows how to enable the DHCP Snooping Trust Status for ports.
3 Configuring the Switch Web – Click DHCP Snooping, DHCP Snooping Binding Information. Figure 3-73 DHCP Snooping Binding Information CLI – This example shows how to display the DHCP Snooping binding table entries. Console#show ip dhcp snooping binding 4-165 MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------00-10-60-db-37-6b 192.168.0.
General Security Measures 3 • If IP source guard is enabled, an inbound packet’s IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) will be checked against the binding table. If no matching entry is found, the packet will be dropped. • Filtering rules are implemented as follows: - If the DHCP snooping is disabled (see page 3-117), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
3 Configuring the Switch CLI – This example shows how to enable IP source guard on port 5 to check the source IP address for ingress packets against the binding table. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)#end Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . .
General Security Measures 3 Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the MAC address and associated IP address, then click Add. Figure 3-75 Static IP Source Guard Binding Configuration CLI – This example configures a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.
3 Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-76 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5. Console#show ip source-guard binding 4-169 MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------00-10-60-db-37-6b 192.168.0.
Port Configuration 3 Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • • Name – Interface label. Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
3 Configuring the Switch Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-17.) Configuration: • • • • • • • • • • • • • • • • • Name – Interface label. Port Admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex – Shows the current speed and duplex mode.
Port Configuration 3 Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation Speed-duplex – Shows the current speed and duplex mode. • Flow Control Type – Indicates the type of flow control currently in use. (IEEE 802.3x, Back-Pressure or none) CLI – This example shows the connection status for Port 5.
3 Configuring the Switch trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex using the Giga Phy Mode attribute described below. Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g.
Port Configuration 3 back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation. Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
3 Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
Port Configuration 3 Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to eight trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
3 Configuring the Switch Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration 3 CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Port Configuration 3 CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
3 Configuring the Switch Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch. • Port – Port number. (Range: 1-28) • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535; Default: 32768) - Ports must be configured with the same system priority to join the same LAG.
Port Configuration 3 Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
3 Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-182 Console(config-if)#lacp actor system-priority 3 4-199 Console(config-if)#lacp actor admin-key 120 4-199 Console(config-if)#lacp actor port-priority 128 4-201 Console(config-if)#exit . . .
3 Port Configuration Web – Click Port, LACP, Aggregator. Set the Admin Key for the required LACP group, and click Apply. Figure 3-82 LACP Aggregation Group Configuration CLI – The following example sets the LACP admin key for port channel 1. Console(config)#interface port-channel 1 Console(config-if)#lacp actor admin-key 3 Console(config-if)# 4-182 4-200 Displaying LACP Port Counters You can display statistics for LACP protocol messages.
3 Configuring the Switch Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-83 LACP - Port Counters Information CLI – The following example displays LACP counters.
Port Configuration 3 Table 3-9 LACP Internal Configuration Information (Continued) Field Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner. • Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.
3 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Port Configuration 3 Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-85 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
3 Configuring the Switch Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for each port.
Port Configuration 3 Web – Click Port, Port/Trunk Broadcast Control. Set the threshold and mark the Enabled field for the required interface, then click Apply. Figure 3-86 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
3 Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
Port Configuration 3 Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic into or out of the switch. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
3 Configuring the Switch Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
Port Configuration 3 Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. Transmit Errors The number of outbound packets that could not be transmitted because of errors.
3 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Port Configuration 3 Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
3 Configuring the Switch CLI – This example shows statistics for port 13.
Power Over Ethernet Settings 3 Switch Power Status Use the Main Power Status page to display the Power over Ethernet settings for the switch. Command Attributes • Maximum Available Power – The configured power budget for the switch. • System Operation Status – The PoE power service provided to the switch ports. • Mainpower Consumption – The amount of power being consumed by PoE devices connected to the switch. • Thermal Temperature10 – The internal temperature of the switch.
3 Configuring the Switch Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power. Command Attributes Power Allocation – The power budget for the switch.
Power Over Ethernet Settings 3 Web – Click PoE, Power Port Status. Figure 3-92 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1.
3 Configuring the Switch Command Attributes • Port – The port number on the switch. (Range: 1-28) • Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget. (Default: Enabled) • Priority – Sets the power priority for the port. (Options: low, high, or critical; Default: low) • Power Allocation – Sets the power budget for the port.
Address Table Settings 3 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
3 Configuring the Switch CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-12-cf-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# 4-214 Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Address Table Settings 3 CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# 4-216 Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function.
3 Configuring the Switch Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Spanning Tree Algorithm Configuration 3 MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing.
3 Configuring the Switch Configuring Port and Trunk Loopback Detection When Port Loopback Detection is enabled and a port receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the port in discarding mode. This loopback state can be released manually or automatically.
Spanning Tree Algorithm Configuration 3 CLI – This command enables loopback detection for port 1/5, configures automatic release-mode, and enables SNMP trap notification for detected loopback BPDU’s.
3 Configuring the Switch These additional parameters are only displayed for the CLI: • Spanning Tree Mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs Configuration – VLANs assigned to the CIST.
Spanning Tree Algorithm Configuration 3 Web – Click Spanning Tree, STA, Information. Figure 3-98 Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: RSTP Spanning Tree Enabled/Disabled: Enabled Instance: 0 VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.
3 Configuring the Switch Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol12 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Spanning Tree Algorithm Configuration 3 • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
3 Configuring the Switch Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. - Long: Specifies 32-bit based values that range from 1-200,000,000. (This is the default.) - Short: Specifies 16-bit based values that range from 1-65535.
Spanning Tree Algorithm Configuration 3 Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
3 Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
Spanning Tree Algorithm Configuration 3 • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-175.
3 • • • • • • Configuring the Switch should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Internal Admin Path Cost – The path cost for the MST. See the preceding item. Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e.
Spanning Tree Algorithm Configuration 3 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin Status: Enabled Role: Designate State: Forwarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 100000 Internal Oper Path Cost: 100000 Priority: 128 Designated Cost: 5000 Designated Port: 128.1 Designated Root: 32768.0.
3 Configuring the Switch The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 3-168) or when spanning tree is disabled on a specific port.
Spanning Tree Algorithm Configuration 3 Table 3-13 Recommended STA Path Costs Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet Half Duplex Full Duplex Trunk 100 95 90 2,000,000 1,999,999 1,000,000 Fast Ethernet Half Duplex Full Duplex Trunk 19 18 15 200,000 100,000 50,000 Gigabit Ethernet Full Duplex Trunk 4 3 10,000 5,000 Port Type Link Type IEEE 802.
3 Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-101 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7.
3 Spanning Tree Algorithm Configuration To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance.
3 Configuring the Switch CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for instance 1, followed by settings for each port.
Spanning Tree Algorithm Configuration 3 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes • MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under “Displaying Interface Settings” on page 3-172 Web – Click Spanning Tree, MSTP, Port or Trunk Information.
3 Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree.
Spanning Tree Algorithm Configuration 3 Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See “Displaying Interface Settings” on page 3-172 for additional information.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-104 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if) 4-182 4-237 4-236 VLAN Configuration IEEE 802.
VLAN Configuration 3 This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Note: The switch allows 255 user-manageable VLANs.
3 Configuring the Switch Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.
VLAN Configuration 3 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged or untagged VLANs. Each port on the switch is therefore capable of passing tagged or untagged frames.
3 Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number16 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information.
VLAN Configuration 3 Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging. Command Attributes (Web) • VLAN ID – ID of configured VLAN (1-4094). • Up Time at Creation – Time this VLAN was created (i.e., System Up Time).
3 Configuring the Switch • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI – Current VLAN information can be displayed with the following command.
VLAN Configuration 3 Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-108 Configuring a VLAN Static List CLI – This example creates a new VLAN.
3 Configuring the Switch Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1.
3 VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-109 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2.
3 Configuring the Switch Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk).
VLAN Configuration 3 Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
3 Configuring the Switch • GARP Leave Timer17 – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer17 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group.
VLAN Configuration 3 Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-111 Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
3 Configuring the Switch QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
VLAN Configuration 3 process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner: 1. New SPVLAN tags are added to all incoming packets, no matter how many tags they already have. The ingress process constructs and inserts the outer tag (SPVLAN) into the packet based on the default VLAN ID and Tag Protocol Identifier (TPID, that is, the ether-type of the tag). This outer tag is used for learning and switching packets.
3 Configuring the Switch 4. After successful source and destination lookups, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet. If a single-tagged packet has 0x8100 as its TPID, and port TPID is not 0x8100, a new VLAN tag is added and it is also treated as double-tagged packet. 5.
VLAN Configuration 3 5. Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (see “Adding Static Members to VLANs (VLAN Index)” on page 3-192). 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Configuring VLAN Behavior for Interfaces” on page 3-195). 7. Configure the QinQ tunnel uplink port to 802.1Q Tunnel Uplink mode (see “Adding an Interface to a QinQ Tunnel” on page 3-202). 8.
3 Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. 4-255 4-182 4-256 Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config)#exit Console#show dot1q-tunnel 4-257 Current double-tagged status of the system is Enabled The The The The The . . .
3 VLAN Configuration Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-113 Tunnel Port Configuration CLI – This example sets port 2 to tunnel access mode, and sets port 3 to tunnel uplink mode.
3 Configuring the Switch Configuring Global Settings for Traffic Segmentation Use the Traffic Segmentation Status page to enable traffic segmentation, and to block or forward traffic between uplink ports assigned to different client sessions. Command Attributes • Traffic Segmentation Status – Enables port-based traffic segmentation. (Default: Disabled) • Uplink-to-Uplink – Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions.
VLAN Configuration 3 Web – Click VLAN, Traffic Segmentation, Session Configuration. Set the session number, specify whether an uplink or downlink is to be used, select the interface, and click Apply. Figure 3-115 Traffic Segmentation Session Configuration CLI – This example enables traffic segmentation and allows traffic to be forwarded across the uplink ports assigned to different client sessions.
3 Configuring the Switch Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports private VLANs with primary/secondary associated groups.
VLAN Configuration 3 Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-116 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
3 Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted. Figure 3-117 Private VLAN Configuration CLI – This example configures VLAN 5 as a primary VLAN, and VLAN 6 as a community VLAN.
VLAN Configuration 3 CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database Console(config-vlan)#private-vlan 5 association 6 Console(config-vlan)#private-vlan 5 association 7 Console(config)# 4-245 4-264 4-264 Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs. Command Attributes • Port/Trunk – The switch interface.
3 Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
VLAN Configuration 3 Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply. Figure 3-120 Private VLAN Port Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6.
3 Configuring the Switch Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-190). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Protocol VLAN Configuration page. 3.
VLAN Configuration 3 CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic. Console(config)#protocol-vlan protocol group 2 add frame-type rfc-1042 protocol-type ip Console(config)# 4-268 Configuring the Protocol VLAN System Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN.
3 Configuring the Switch Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Link Layer Discovery Protocol 3 This attribute must comply with the rule: (4 * Delay Interval) ≤Transmission Interval • Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. (Range: 1-10 seconds; Default: 2 seconds) When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted.
3 Configuring the Switch CLI – This example sets several attributes which control basic LLDP message timing.
Link Layer Discovery Protocol 3 • TLV Type – Configures the information included in the TLV field of advertised messages. - Port Description – The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
3 Configuring the Switch power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device does not support PoE capabilities. - Inventory – This option advertises device details useful for inventory management, such as manufacturer, model, software version and other pertinent information. • MED Notification – Enables the transmission of SNMP trap notifications about LLDP-MED changes. (Default: Enabled) • Trunk – The trunk identifier.
Link Layer Discovery Protocol 3 CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise.
3 Configuring the Switch • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • System Name – An string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 3-12). • System Description – A textual description of the network entity. This field is also displayed by the show system command. • System Capabilities Supported – The capabilities that define the primary function(s) of the system.
Link Layer Discovery Protocol 3 Web – Click LLDP, Local Information. Figure 3-125 LLDP Local Device Information CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-296 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : 24 10/100 ports and 4 gigabit ports with PoE switch System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.
3 Configuring the Switch Displaying LLDP Remote Port Information Use the LLDP Remote Port/Trunk Information screen to display information about devices connected directly to the switch’s ports which are advertising information through LLDP. Field Attributes • Local Port – The local port to which a remote LLDP-capable device is attached. • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system.
Link Layer Discovery Protocol 3 Displaying LLDP Remote Information Details Use the LLDP Remote Information Details screen to display detailed information about an LLDP-enabled device connected to a specific port on the local switch. Field Attributes • Local Port – The local port to which a remote LLDP-capable device is attached. • Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent.
3 Configuring the Switch Web – Click LLDP, Remote Information Details. Select an interface from the drop down lists, and click Query. Figure 3-127 LLDP Remote Information Details CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Link Layer Discovery Protocol 3 Displaying Device Statistics Use the LLDP Device Statistics screen to general statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Field Attributes General Statistics on Remote Devices • Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated. • New Neighbor Entries Count – The number of LLDP neighbors for which the remote TTL has not yet expired.
3 Configuring the Switch CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-298 LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
Link Layer Discovery Protocol 3 Web – Click LLDP, Device Statistics Details. Figure 3-129 LLDP Device Statistics Details CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch.
3 Configuring the Switch Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Class of Service Configuration 3 Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-130 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3.
3 Configuring the Switch Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four egress queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
Class of Service Configuration 3 Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-131 Traffic Classes CLI – The following example shows how to change the CoS assignments.
3 Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced.
Class of Service Configuration 3 Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-230, the traffic classes are mapped to one of the four egress queues provided for each port.
3 Configuring the Switch Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports one method of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (TOS) octet or the number of the TCP port. If the priority bits are used, the TOS octet may contain six bits for Differentiated Services Code Point (DSCP) service.
Class of Service Configuration 3 CLI – The following example globally enables DSCP Priority service on the switch. Console(config)#map ip dscp Console(config)#end Console#show map ip dscp dscp Mapping Status: Enabled 4-304 4-305 DSCP COS ---- --0 1 1 0 2 0 3 0 . . . Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.
3 Configuring the Switch Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-135 Mapping IP DSCP Priority Values CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Quality of Service 3 Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
3 Configuring the Switch Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name” field, and click Add.
Quality of Service 3 • VLAN – A VLAN. (Range:1-4094) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.
3 Configuring the Switch CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# 4-307 4-308 Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-238.
Quality of Service 3 Policy Configuration • Policy Name — Name of policy map. (Range: 1-16 characters) • Description – A brief description of a policy map. (Range: 1-64 characters) • Add – Adds the specified policy. • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings • Class Name – Name of class map.
3 Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
3 Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
3 Configuring the Switch VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter. This is best achieved by assigning all VoIP traffic to a single Voice VLAN. The use of a Voice VLAN has several advantages.
Quality of Service 3 Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-139 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
3 Configuring the Switch address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “Link Layer Discovery Protocol” on page 3-214 for more information on LLDP. • Priority – Defines a CoS priority for port traffic on the Voice VLAN.
Quality of Service 3 CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status.
3 Configuring the Switch Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Multicast Filtering 3 Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
3 Configuring the Switch Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-251) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports.
Multicast Filtering 3 Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-257). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
3 Configuring the Switch • IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds; Default: 10) • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Multicast Filtering 3 CLI – This example modifies the settings for multicast filtering, and then displays the current status.
3 Configuring the Switch Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply. Figure 3-143 IGMP Immediate Leave CLI – This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status.
3 Multicast Filtering Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-144 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
3 Configuring the Switch Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-145 Static Multicast Router Port Configuration CLI – This example configures port 1 as a multicast router port within VLAN 1.
3 Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-146 IP Multicast Registration Table CLI – This example displays all the known multicast services supported on VLAN 1, along with the ports propagating the corresponding services.
3 Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Multicast Filtering 3 IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
3 Configuring the Switch Configuring IGMP Filter Profiles When you have created an IGMP profile number, you can then configure the multicast groups to filter and set the access mode. Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Multicast Filtering 3 CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)#range 239.1.2.3 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.200 Console(config-igmp-profile)#end Console#show ip igmp profile 19 IGMP Profile 19 permit range 239.1.2.
3 Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-150 IGMP Filter and Throttling Port Configuration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed.
Multicast VLAN Registration 3 Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
3 Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN. Command Usage IGMP snooping and MVR share a maximum number of 255 groups.
Multicast VLAN Registration 3 Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-151 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.
3 Configuring the Switch Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
Multicast VLAN Registration 3 Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Web – Click MVR, Group IP Information.
3 Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
Multicast VLAN Registration 3 - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) • Trunk22 – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Configuration.
3 Configuring the Switch Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage • Any multicast groups that use the MVR VLAN must be statically assigned to it under the MVR Configuration menu (see“Configuring Global MVR Settings” on page 3-264). • The IP address range from 224.0.0.0 to 239.255.255.
Switch Clustering 3 Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. Command Usage • A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster.
3 Configuring the Switch • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36. Note that you cannot change the cluster IP pool when the switch is currently in Commander mode. Commander mode must first be disabled. (Default: 10.254.254.
Switch Clustering 3 Web – Click Cluster, Member Configuration. Figure 3-158 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID.
3 Configuring the Switch Web – Click Cluster, Member Information. Figure 3-159 Cluster Member Information CLI – This example shows information about cluster Member switches. Vty-0#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.
3 UPnP CLI – This example shows information about cluster Candidate switches.
3 Configuring the Switch Using UPnP under Windows Vista – To access or manage the switch with the aid of UPnP under Windows Vista, open the Network and Sharing Center, and enable Network Discovery. Then click on the node representing your local network under the Network Sharing Center. An entry for the switch will appear in the list of discovered devices as shown below.
UPnP 3 CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration.
3 3-278 Configuring the Switch
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands vlan voice web-auth Console#show 4 Virtual LAN settings Shows the voice VLAN information Shows web authentication configuration The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial lett
4 Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Entering Commands 4 Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
4 Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Command Groups 4 Command Groups The system commands can be broken down into the functional groups shown below.
4 Command Line Interface Table 4-4 Command Groups (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query parameters, specifies ports attached to a multicast router, and enables multicast VLAN registration 4-315 IP Interface Configures IP address for the switch 4-338 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (I
General Commands 4 enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 4-5. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
4 Command Line Interface Example Console#disable Console> Related Commands enable (4-11) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. See “Understanding Command Modes” on page 4-5.
General Commands 4 Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration m
4 Command Line Interface Command Usage This command resets the entire system. The switch will wait the designated amount of time before resetting. If a delayed reset has already been scheduled, then the newly configured reset will overwrite the original delay configuration. The configured delay time cannot exceed 24 days (576 hours, or 34560 minutes). If no time is specified, then the switch will reboot immediately.
General Commands 4 Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
4 Command Line Interface quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
System Management Commands 4 Table 4-6 System Management Commands (Continued) Command Group Function Page Web Server Enables management access via a web browser 4-118 Telnet Server Enables management access via Telnet 4-121 Secure Shell Provides secure replacement for Telnet 4-122 Device Designation Commands Table 4-7 Device Designation Commands Command Function Mode prompt Customizes the prompt used in PE and NE mode GC Page 4-14 hostname Specifies the host name for the switch GC 4-
4 Command Line Interface Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager. This information is only available via the CLI and is automatically displayed before login as soon as a console or telnet connection has been established.
System Management Commands 4 Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered. Pressing enter without inputting information at any prompt during the script’s operation will leave the field empty.
4 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
System Management Commands 4 banner configure department This command is used to configure the department information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
4 Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
System Management Commands 4 banner configure ip-lan This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
4 Command Line Interface Example Console(config)#banner configure lp-number 12 Console(config)# banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting.
System Management Commands 4 banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
4 Command Line Interface Command Usage Input strings cannot contain spaces. The banner configure note command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
System Management Commands 4 System Status Commands This section describes commands used to display system information.
4 Command Line Interface - Spanning tree settings - Interface settings - Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait... !00 !01_00-16-b6-f0-6f-fd_00 ! phymap 00-16-b6-f0-6f-fd ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
System Management Commands 4 show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
4 Command Line Interface Example Console#show startup-config building startup-config, please wait... !00 !01_00-16-b6-f0-6f-fd_00 ! phymap 00-16-b6-f0-6f-fd ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
System Management Commands 4 show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: 24 Fast Ethernet + 2 Giga + 2 ComboG L2/L4 PoE Standalone switch System OID String: 1.3.6.
4 Command Line Interface Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.19 Web online users: Line Remote IP addr Username Idle time (h:m:s). ----------- -------------- -------- -----------------1 HTTP 192.
System Management Commands 4 show memory This command shows the location and size of free system memory. Command Mode Privileged Exec Example Console#show memory FREE LIST: Num Addr Size --- ---------- ---------1 0x7176640 1024 2 0x7176498 56 . . .
4 Command Line Interface ports. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields. • To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
System Management Commands 4 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
4 Command Line Interface • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” on page 3-79. For information on configuring the switch to use HTTPS for a secure connection, see “ip http secure-server” on page 4-119.
System Management Commands 4 The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
4 Command Line Interface Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (4-38) delete public-key (4-126) dir This command displays a list of files in flash memory.
System Management Commands 4 Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) -------------------------------------------------- ------- ----------Unit1: ES3528M-PoE_diag_V1.0.0.9.bix Boot-Rom Image Y 1384972 ES3528M-PoE_opcode_1.1.0.11.bix Operation Code Y 3907180 Factory_Default_Config.cfg Config File N 455 startup1.
4 Command Line Interface Command Mode Global Configuration Command Usage • A colon (:) is required after the specified unit number and file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-38) whichboot (4-39) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
System Management Commands 4 line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
4 Command Line Interface Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
System Management Commands 4 number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
4 Command Line Interface Related Commands silent-time (4-45) exec-timeout (4-14) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds.
System Management Commands 4 Default Setting The default value is three attempts. Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. • This command applies to both the local console and Telnet connections.
4 Command Line Interface databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
System Management Commands 4 Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.
4 Command Line Interface Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection.
System Management Commands 4 Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# Event Logging Commands This section describes commands used to configure event logging
4 Command Line Interface Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
System Management Commands 4 Default Setting Flash: errors (level 3 - 0) RAM: warnings (level 7 - 0) Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host.
4 Command Line Interface Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
System Management Commands 4 Example Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
4 Command Line Interface Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “informational” (i.e., default level 7 - 0).
System Management Commands 4 show log This command displays the system and event messages stored in memory. Syntax show log {flash | ram} [login] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • login - Shows the login record only.
4 Command Line Interface SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
System Management Commands 4 logging sendmail level This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 4-50). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) Default Setting Level 7 Command Mode Global Configuration Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients.
4 Command Line Interface logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient.
System Management Commands 4 Example Console#show logging sendmail SMTP servers ----------------------------------------------1. 192.168.1.200 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------1. geoff@samsung.com SMTP source email address: SMTP status: Console# john@samsung.com Enabled Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
4 Command Line Interface Table 4-19 Time Commands (Continued) Command Function Mode Page clock summertime (recurring) Configures summer time (daylight savings time) for the switch’s GC internal clock calendar set Sets the system date and time PE 4-72 show calendar Displays the current date and time setting NE, PE 4-72 4-70 sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command.
System Management Commands 4 sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP). (Range: 1-3 addresses) Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode.
4 Command Line Interface Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-60) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
System Management Commands 4 • This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. • SNTP and NTP clients cannot both be enabled at the same time. Example Console(config)#ntp client Console(config)# Related Commands sntp client (4-60) ntp poll (4-64) ntp server (4-63) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued.
4 Command Line Interface Example Console(config)#ntp Console(config)#ntp Console(config)#ntp Console(config)#ntp Console(config)# server server server server 192.168.3.20 192.168.3.21 192.168.4.22 version 2 192.168.5.23 version 3 key 19 Related Commands ntp client (4-62) ntp poll (4-64) show ntp (4-66) ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode. Use the no form to restore to the default.
System Management Commands 4 Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
4 Command Line Interface Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (4-64) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e.
System Management Commands 4 clock timezone-predefined This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. Syntax clock timezone-predefined offset-city no clock timezone-predefined • offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200; GMT-Greenwich-Mean-Time; GMT+0100 - GMT+1400) • city - Select the city associated with the chosen GMT offset.
4 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
System Management Commands 4 • e-minute - The minute summer-time will end. (Range: 0-59 minutes) • offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
4 Command Line Interface Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. • This command sets the summer-time time relative to the configured time zone.
System Management Commands • • • • • • • • 4 b-hour - The hour when summer-time will begin. (Range: 0-23 hours) b-minute - The minute when summer-time will begin. (Range: 0-59 minutes) e-week - The week of the month when summer-time will end. (Range: 1-5) e-day - The day of the week summer-time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer-time will end.
4 Command Line Interface calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • • • • • hour - Hour in 24-hour format. (Range: 0-23) min - Minute. (Range: 0-59) sec - Second. (Range: 0-59) day - Day of month.
System Management Commands 4 Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
4 Command Line Interface Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. • Switch clusters are limited to the same Ethernet broadcast domain.
System Management Commands 4 cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage • An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
4 Command Line Interface Command Usage • The maximum number of cluster Members is 36. • The maximum number of switch Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
System Management Commands 4 show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: Ubigate iES4024GP Switch Console# show cluster candidates This command shows the discovered Candidate switches in the network.
4 Command Line Interface upnp device This command enables UPnP on the device. Use the no form to disable UPnP. Syntax [no] upnp device Default Setting Enabled Command Mode Global Configuration Command Usage You must enable UPnP before you can configure time out settings for sending of UPnP messages. Example In the following example, UPnP is enabled on the device.
System Management Commands 4 Example In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# upnp device advertise duration This command sets the duration for which a device will advertise its presence on the local network. Syntax upnp device advertise duration value value - A time out value expressed in seconds.
4 Command Line Interface Debug Commands Table 4-22 Debug Commands Command Function Mode debug spanning-tree Configures debug settings for spanning tree PE Page 4-80 debug spanning-tree This command configures debug settings for spanning tree processes. Use the no form to disable debug mode for spanning tree. Syntax [no] debug spanning-tree [all | bpdu | events | root] • • • • all - Sets debugging for all options (config, bpdy, events, root). bpdu - Sets debugging for spanning-tree BPDUs.
SNMP Commands 4 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
4 Command Line Interface Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
SNMP Commands 4 snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) • ro - Specifies read-only access.
4 Command Line Interface Related Commands snmp-server location (4-84) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
SNMP Commands 4 snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr • host-addr - Internet address of the host (the targeted recipient).
4 Command Line Interface command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. • Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. • Notifications are issued by the switch as trap messages by default.
SNMP Commands 4 Related Commands snmp-server enable traps (4-87) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure notifications. • link-up-down - Keyword to issue link-up or link-down notifications.
4 Command Line Interface snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • • • • local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - The Internet address of the remote device. engineid-string - String identifying the engine ID.
SNMP Commands 4 Related Commands snmp-server host (4-85) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 4-24 show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID.
4 Command Line Interface Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.
SNMP Commands 4 snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname • groupname - Name of an SNMP group. (Range: 1-32 characters) • v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
4 Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
SNMP Commands 4 Table 4-26 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View.
4 Command Line Interface Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-88) to specify the engine ID for the remote device where the user resides.
Authentication Commands 4 Table 4-27 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device.
4 Command Line Interface username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive.
Authentication Commands 4 Example This example shows how to set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
4 Command Line Interface Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Authentication Commands 4 Related Commands username - for setting the local user names and passwords (4-96) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-11). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only.
4 Command Line Interface RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Authentication Commands 4 Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port port_number - RADIUS server UDP port used for authentication messages.
4 Command Line Interface radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Authentication Commands 4 radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Command Line Interface Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: 2 Request Timeout: 5 Server 1: Server IP Address: 10.1.2.
Authentication Commands 4 tacacs-server host This command specifies a TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) • host_ip_address - IP address of the server. • port_number - The TACACS+ server TCP port used for authentication messages.
4 Command Line Interface Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
Authentication Commands 4 tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Command Line Interface show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: 49 Retransmit Times : 2 Request Times : 5 Server 1: Server IP address: 192.168.1.
Authentication Commands 4 AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
4 Command Line Interface Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies a server index and the sequence to use for the group. (Range: RADIUS 1-5, TACACS+ 1) • ip-address - Specifies the host IP address of a server.
Authentication Commands 4 aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
4 Command Line Interface aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
Authentication Commands 4 aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} • level - The privilege level for executing commands. (Range: 0-15) • default - Specifies the default accounting method for service requests.
4 Command Line Interface aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Authentication Commands 4 Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec • default - Specifies the default method list created with the aaa accounting exec command (page 4-112).
4 Command Line Interface Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} • default - Specifies the default authorization method for Exec access.
Authentication Commands 4 authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-116). • list-name - Specifies a method list created with the aaa authorization exec command.
4 Command Line Interface Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
Authentication Commands 4 Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-119) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
4 Command Line Interface • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.
Authentication Commands 4 Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
4 Command Line Interface Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
Authentication Commands 4 Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.
4 Command Line Interface d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e. The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated. Authenticating SSH v2 Clients a.
Authentication Commands 4 Related Commands ip ssh crypto host-key generate (4-127) show ssh (4-129) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-128) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
Authentication Commands 4 Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
4 Command Line Interface Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
Authentication Commands 4 Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
4 Command Line Interface show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Authentication Commands 4 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-39 802.1X Port Authentication Command Function Mode Page dot1x system-auth-control Enables dot1x globally on the switch.
4 Command Line Interface dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Authentication Commands 4 Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
4 Command Line Interface dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Authentication Commands 4 Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (4-135) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
4 Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Authentication Commands 4 Example Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface - max-req - Status - Operation Mode - Max Count - Port-control - Supplicant - Current Identifier - Intrusion action – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-132). – Authorization status (authorized or not). – Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port. – The maximum number of hosts allowed to access this port (page 4-133).
Authentication Commands 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/24 Status disabled enabled Operation Mode Single-Host Single-Host Mode ForceAuthorized auto Authorized n/a yes disabled Single-Host ForceAuthorized n/a 802.1X Port Details 802.1X is disabled on port 1/1 802.
4 Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch.
Authentication Commands 4 Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
4 Command Line Interface General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this section.
General Security Measures 4 Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
4 Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • Use the port security command to enable security on a port.
General Security Measures 4 Table 4-43 Network Access (Continued) Command Function Mode Page network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC 4-147 network-access guest-vlan Specifies the guest VLAN IC 4-148 mac-authentication reauth-time Sets the time period after which a connected MAC address must be re-authenticated GC 4-149 mac-authentication intrusion-action Determines the port response when a connected host fails IC MAC authentication.
4 Command Line Interface network-access mode Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication. Syntax [no] network-access mode mac-authentication Default Setting Disabled Command Mode Interface Configuration Command Usage • When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server.
General Security Measures 4 network-access max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated MAC addresses allowed.
4 Command Line Interface have same VLAN configuration, or they are treated as an authentication failure. • If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success, and the host assigned to the default untagged VLAN. • When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table.
General Security Measures 4 mac-authentication reauth-time Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
4 Command Line Interface mac-authentication max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via 802.1X authentication or MAC authentication. Use the no form of this command to restore the default. Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of 802.1X and MAC-authenticated MAC addresses allowed.
General Security Measures 4 show network-access Use this command to display the MAC authentication settings for port interfaces. Syntax show network-access [interface interface] • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28) Default Setting Displays the settings for all interfaces.
4 Command Line Interface Default Setting Displays all filters. Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out.
General Security Measures 4 Table 4-44 Web Authentication (Continued) Command Function Mode Page web-auth system-auth-control Enables web authentication globally for the switch GC 4-154 web-auth Enables web authentication for an interface IC 4-155 web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate PE 4-155 web-auth re-authenticate (IP) Ends the web authentication session associated with the designated IP and forces the
4 Command Line Interface Default Setting 60 seconds Command Mode Global Configuration Example Console(config)#web-auth quiet-period 120 Console(config)# web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session-timeout has been reached, the host is logged off and must re-authenticate itself the next time data is transmitted. Use the no form to restore the default.
General Security Measures 4 Example Console(config)#web-auth system-auth-control Console(config)# web-auth This command enables web authentication for a port. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
4 Command Line Interface web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number.
General Security Measures 4 show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28) Default Setting None Command Mode Privileged Exec Command Usage The session timeout displayed by this command is expressed in seconds.
4 Command Line Interface show web-auth summary This command displays a summary of web authentication port parameters and statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled . . .
General Security Measures 4 ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
4 Command Line Interface MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. * If the DHCP packet is not a recognizable type, it is dropped. - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
General Security Measures 4 packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-161). • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
4 Command Line Interface • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted.
General Security Measures 4 ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
4 Command Line Interface ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} • drop - Drops the client’s request packet instead of relaying it. • keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
General Security Measures 4 clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings.
4 Command Line Interface IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands” on page 4-158). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
General Security Measures 4 • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
4 Command Line Interface ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id • • • • • mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4094) ip-address - A valid unicast IP address, including classful types A, B or C. unit - Stack unit.
General Security Measures 4 Related Commands ip source-guard (4-166) ip dhcp snooping (4-159) ip dhcp snooping vlan (4-160) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . . .
4 Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port. This section describes the Access Control List commands.
Access Control List Commands 4 access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
4 Command Line Interface permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address.
Access Control List Commands 4 permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
4 Command Line Interface Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Access Control List Commands 4 Related Commands access-list ip (4-171) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters, no spaces) Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.
4 Command Line Interface • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-175) show ip access-group This command shows the ports assigned to IP ACLs.
Access Control List Commands 4 access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
4 Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Access Control List Commands 4 • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060.
4 Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
Access Control List Commands 4 ACL Information Table 4-50 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-181 show access-group Shows the ACLs assigned to each port PE 4-181 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.16.0 255.255.240.
4 Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
Interface Commands 4 Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Interface Commands 4 Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation.
4 Command Line Interface Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
Interface Commands 4 • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
4 Command Line Interface giga-phy-mode This command forces two connected ports in to a master/slave configuration to enable 1000BASE-T full duplex. Use the no form to restore the default mode. Syntax giga-phy-mode mode no giga-phy-mode mode • master - Sets the selected port as master. • slave - Sets the selected port as slave. • auto-prefer-master - Uses master mode as the initial configuration setting regardless of the mode configured at the other end of the link.
Interface Commands 4 shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons.
4 Command Line Interface Command Usage • When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
Interface Commands 4 Example The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
4 Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 64 Kbits/second Multicast Storm: Disabled Multicast Storm Limit: 64 Kbits/second UnknownUnicast Storm: Disabled UnknownUnicast Storm Limit: 64 Kbits/second Flow control: Disabled LACP: Disable
Interface Commands 4 Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 3-150.
4 Command Line Interface Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 24.
Interface Commands Table 4-52 4 Interfaces Switchport Statistics (Continued) Field Description Priority for Untagged Traffic Indicates the default priority for untagged frames (page 4-277). GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-242). Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (page 4-251).
4 Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
Link Aggregation Commands 4 Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
4 Command Line Interface Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Link Aggregation Commands 4 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
4 Command Line Interface Default Setting 0 Command Mode Interface Configuration (Ethernet) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Link Aggregation Commands 4 • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group. Note that when the LAG is no longer used, the port channel admin key is reset to 0.
4 Command Line Interface show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-8) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. sysid - Summary of system priority and MAC address for all channel groups.
Link Aggregation Commands 4 Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: 3 Oper Key: 3 Admin State: defaulted, aggregation, long timeout, active Oper State: distributing, collecting, synchronization, aggregation, long timeout, active . . .
4 Command Line Interface Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------Eth 1/11 ------------------------------------------------------------------------Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-16-B6-F0-71-3C Partner Admin Port Number: 11 Partner Oper Port Number: 11 Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: 0 Oper Key: 3 Admin State: defaulted, distributing, col
Power over Ethernet Commands 4 Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-13-F7-D3-7E-60 2 32768 00-13-F7-D3-7E-60 3 32768 00-13-F7-D3-7E-60 4 32768 00-13-F7-D3-7E-60 5 32768 00-13-F7-D3-7E-60 6 32768 00-13-F7-D3-7E-60 7 32768 00-13-F7-D3-7E-60 8 32768 00-13-F7-D3-7E-60 Console# Table 4-57 Field show lacp sysid - display description Description Channel group A link aggregation group configu
4 Command Line Interface power mainpower maximum allocation This command defines a power budget for the switch (i.e., the power available to all switch ports). Use the no form to restore the default setting. Syntax power mainpower maximum allocation watts watts - The power budget for the switch.
Power over Ethernet Commands 4 this switch can detect 802.3af compliant devices and the more recent 802.3af non-compliant devices that also reflect the test voltages back to the switch. It cannot detect other legacy devices that do not reflect back the test voltages. • For legacy devices to be supported by this switch, they must be able to accept power over the data pairs connected to the 10/100BASE-TX ports.
4 Command Line Interface power inline maximum allocation This command limits the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts).
Power over Ethernet Commands 4 - If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is still be turned on if the switch can drop power to one or more lower-priority ports and keep within its budget. Power will be dropped from low-priority ports in sequence starting from port number 1.
4 Command Line Interface Table 4-59 show power inline status parameters Parameter Description Admin The power mode set on the port (see power inline on page 4-207) Oper The current operating power status (displays on or off) Power (mWatt) The maximum power allocated to this port (see power inline maximum allocation on page 4-208) Power (used) The current power consumption on the port in milliwatts Priority The port’s power priority setting (see power inline priority on page 4-208) show power m
Mirror Port Commands 4 Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-61 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-211 show port monitor Shows the configuration for a mirror port PE 4-212 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
4 Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28) Default Setting Shows all sessions.
Rate Limit Commands 4 Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
4 Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Address Table Commands 4 Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
4 Command Line Interface show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Address Table Commands 4 mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-30000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information.
4 Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Spanning Tree Commands 4 Table 4-64 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree mst cost Configures the path cost of an instance in the MST IC 4-236 spanning-tree mst port-priority Configures the priority of an instance in the MST IC 4-237 spanning-tree protocol-migration Re-checks the appropriate BPDU format PE 4-237 show spanning-tree PE Shows spanning tree configuration for the common spanning tree (i.e.
4 Command Line Interface spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) • mstp - Multiple Spanning Tree (IEEE 802.
Spanning Tree Commands 4 Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
4 Command Line Interface Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-221) spanning-tree max-age (4-222) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default.
Spanning Tree Commands 4 Related Commands spanning-tree forward-time (4-221) spanning-tree hello-time (4-221) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
4 Command Line Interface Command Mode Global Configuration Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command, page 4-232). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default.
Spanning Tree Commands 4 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst configuration This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address.
4 Command Line Interface Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Spanning Tree Commands 4 • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384. Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree.
4 Command Line Interface Command Usage The MST region name (page 4-227) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Spanning Tree Commands 4 Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default.
4 Command Line Interface Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. Table 4-67 Default STA Path Costs Port Type Link Type IEEE 802.
Spanning Tree Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. • Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
4 Command Line Interface Related Commands spanning-tree portfast (4-232) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port.
Spanning Tree Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command (page 4-223). • The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
4 Command Line Interface spanning-tree loopback-detection This command enables the detection and response to Spanning Tree loopback BPDU packets on the port. Use the no form to disable this feature.
Spanning Tree Commands 4 Command Usage • If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: - The port receives any other BPDU except for it’s own, or; - The port’s link status changes to link down and then link up again, or; - The port ceases to receive it’s own BPDUs in a forward delay interval.
4 Command Line Interface spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • cost - Path cost for an interface.
Spanning Tree Commands 4 spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • priority - Priority for an interface.
4 Command Line Interface Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Spanning Tree Commands 4 Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: 0 Vlans configuration: 1-4092 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.): 15 Max hops: 20 Remaining hops: 20 Designated Root: 32768.0.
4 Command Line Interface show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree.
VLAN Commands 4 GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
4 Command Line Interface show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-188 and “Displaying Bridge Extension Capabilities” on page 3-16 for a description of the displayed items.
VLAN Commands 4 show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting Shows both global and interface-specific configuration.
4 Command Line Interface Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration. • Timer values are applied to GVRP for all the ports on all VLANs.
VLAN Commands 4 Related Commands garp timer (4-243) Editing VLAN Groups Table 4-70 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete VLANs GC 4-245 vlan Configures a VLAN, including VID, name and state VC 4-246 vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
4 Command Line Interface vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4092, no leading zeroes) • name - Keyword to be followed by the VLAN name. - vlan-name - ASCII string from 1 to 32 characters. • media ethernet - Ethernet media type. • state - Keyword to be followed by the VLAN state.
VLAN Commands 4 Configuring VLAN Interfaces Table 4-71 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN GC 4-247 switchport mode Configures VLAN membership mode for an interface IC 4-248 switchport acceptable-frame-types Configures frame types to be accepted by an interface IC 4-248 switchport ingress-filtering Enables ingress filtering on an interface IC 4-249 switchport native vlan Configures the PVID (n
4 Command Line Interface switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk | private-vlan} no switchport mode • access - Specifies an access VLAN interface. The port transmits and receives untagged frames only. • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • trunk - Specifies a port as an end-point for a VLAN trunk.
VLAN Commands 4 Default Setting All frame types Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
4 Command Line Interface Example The following example shows how to select port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
VLAN Commands 4 switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
4 Command Line Interface switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. Do not enter leading zeros.
VLAN Commands 4 Displaying VLAN Information Table 4-72 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-253 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-191 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-193 show vlan This command shows VLAN information.
4 Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
VLAN Commands 4 reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional.
4 Command Line Interface • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. • When a tunnel uplink port receives a packet from the service provider, the outer service provider’s tag is stripped off, and the packet passed on to the VLAN indicated by the inner tag.
VLAN Commands 4 Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-193) show dot1q-tunnel This command displays information about QinQ tunnel ports.
4 Command Line Interface Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions. Traffic belonging to each client is isolated to the allocated downlink ports.
VLAN Commands 4 Command Usage • When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
4 Command Line Interface Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. • If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
VLAN Commands 4 pvlan up-to-up This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default. Syntax [no] pvlan up-to-up {blocking | forwarding} • blocking – Blocks traffic between uplink ports assigned to different sessions. • forwarding – Forwards traffic between uplink ports assigned to different sessions.
4 Command Line Interface Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs.
VLAN Commands 4 4. Use the switchport private-vlan host-association command to assign a port to a secondary VLAN. 5. Use the switchport private-vlan mapping command to assign a port to a primary VLAN. 6. Use the show vlan private-vlan command to verify your configuration settings. private-vlan Use this command to create a primary or community private VLAN. Use the no form to remove the specified private VLAN.
4 Command Line Interface private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association • primary-vlan-id - ID of primary VLAN. (Range: 1-4094, no leading zeroes). • secondary-vlan-id - ID of secondary (i.e, community) VLAN.
VLAN Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command.
4 Command Line Interface switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes).
VLAN Commands 4 Example Console#show vlan private-vlan Primary Secondary Type -------- ----------- ---------5 primary 5 6 community Console# Interfaces -----------------------------Eth1/ 3 Eth1/ 4 Eth1/ 5 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
4 Command Line Interface protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or adds specific protocols to a group. Only one frame type and protocol type can be added to a protocol group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id • group-id - Group identifier of this protocol group.
VLAN Commands 4 Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN commands. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-246), the switch will admit traffic of any protocol type into the associated VLAN. • A maximum of 20 protocol VLAN groups can be defined on the switch.
4 Command Line Interface show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs. Syntax show protocol-vlan protocol-group-vid Default Setting The mapping for all protocol groups is displayed.
VLAN Commands 4 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode Global Configuration Command Usage • When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic.
4 Command Line Interface Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port. Example The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list.
VLAN Commands 4 • Selecting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the MAC address range. Selecting FF-FF-FF-FF-FF-FF specifies a single MAC address. Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00-00 description A new phone Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports.
4 Command Line Interface switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} • oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. • lldp - Uses LLDP to discover VoIP devices attached to the port.
VLAN Commands 4 Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped. • When enabled, be sure the MAC address ranges for VoIP devices are configured in the Telephony OUI list (voice vlan mac-address, page 4-272).
4 Command Line Interface show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings.
LLDP Commands 4 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
4 Command Line Interface Table 4-79 LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC 4-287 lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported IC protocols 4-287 lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related VLAN information IC 4-288 lldp dot1-tlv pvid* Configures an LLDP-enabled port to advertise its default VLAN ID IC 4-288 ll
LLDP Commands 4 lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
4 Command Line Interface lldp med-fast-start-count This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp med-fast-start-count packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode Global Configuration Command Usage The med-fast-start-count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port.
LLDP Commands 4 notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.
4 Command Line Interface Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
LLDP Commands 4 lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. • tx-only - Only transmit LLDP PDUs. • tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
4 Command Line Interface therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about LLDP-MED changes. Use the no form to disable LLDP-MED notifications.
LLDP Commands 4 lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The management address protocol packet includes the IPv4 address of the switch.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
LLDP Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information. Use the no form to disable this feature.
LLDP Commands 4 Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-250). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature.
4 Command Line Interface Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature.
LLDP Commands 4 Command Usage Refer to “Frame Size Commands” on page 4-33 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities. Use the no form to disable this feature.
4 Command Line Interface Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
LLDP Commands 4 Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
4 Command Line Interface Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv network-policy Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports.
LLDP Commands 4 Example Console#show lldp config LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP LLDP Enable Transmit interval Hold Time Multiplier Delay Interval Reinit Delay Notification Interval MED fast start counts : : : : : : : Yes 30 4 2 2 5 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- ------------------Eth 1/1 | Tx-Rx True Eth 1/2 | Tx-Rx True Eth 1/3 | Tx-Rx True Eth 1/4 | Tx-Rx True Eth 1/5 | Tx-Rx True . . .
4 Command Line Interface show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
LLDP Commands 4 show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Class of Service Commands 4 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
4 Command Line Interface Command Mode Global Configuration Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.
Class of Service Commands 4 • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port. The default priority for all ingress ports is zero.
4 Command Line Interface Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces.
Class of Service Commands 4 Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 4-83 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping GC 4-304 map ip dscp Maps IP DSCP value to a class of service IC 4-304 show map ip dscp Shows the IP DSCP map PE 4-305 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e.
Class of Service Commands 4 Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
4 Quality of Service Commands Table 4-85 Quality of Service Commands (Continued) Command Function Mode Page show policy-map Displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations PE 4-314 show policy-map interface Displays the configuration of all classes configured for all service policies on the specified interface PE 4-314 To create a service policy for a specific category of ingress traffic, follow these step
4 Command Line Interface Command Usage • First enter this command to designate a class map and enter the Class Map configuration mode. Then use the match command (page 4-308) to specify the criteria for ingress traffic that will be classified under this class map. • Up to 16 match commands are permitted per class map.
Quality of Service Commands 4 Example This example creates a class map called “rd_class#1,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class#1_ match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd_class#2,” and sets it to match packets marked for IP Precedence service value 5: Console(config)#class-map rd_class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example
4 Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Quality of Service Commands 4 Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
4 Command Line Interface police This command defines an policer for classified traffic. Use the no form to remove a policer. Syntax [no] police rate-kbps burst-byte [exceed-action {drop | set}] • rate-kbps - Rate in kilobits per second. (Range: 1-100000 kbps or maximum port speed, whichever is lower) • burst-byte - Burst in bytes. (Range: 64-1522 bytes) • drop - Drop packet when specified rate or burst are exceeded. • set - Set DSCP service to the specified value.
Quality of Service Commands 4 service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name • input - Apply to the input traffic. • policy-map-name - Name of the policy map for this interface. (Range: 1-16 characters) Default Setting No policy map is attached to an interface.
4 Command Line Interface Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map.
Multicast Filtering Commands 4 Example Console#show policy-map interface 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
4 Command Line Interface ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
Multicast Filtering Commands 4 ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
4 Command Line Interface Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier.
Multicast Filtering Commands 4 show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-251 for a description of the displayed items.
4 Command Line Interface Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Multicast Filtering Commands 4 Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
4 Command Line Interface Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Multicast Filtering Commands 4 ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
4 Command Line Interface ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface • vlan-id - VLAN ID (Range: 1-4094) • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting No static multicast router ports are configured.
Multicast Filtering Commands 4 Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static 2 Eth 1/12 Static Console# IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users.
4 Command Line Interface ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Multicast Filtering Commands 4 Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number.
4 Command Line Interface Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Multicast Filtering Commands 4 ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time. (Range: 0-64) Default Setting 64 Command Mode Interface Configuration Command Usage • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time.
4 Command Line Interface Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Multicast Filtering Commands 4 show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.
4 Command Line Interface Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network.
Multicast Filtering Commands 4 Default Setting • MVR is disabled. • No MVR group address is defined. • The default number of contiguous addresses is 0. • MVR VLAN ID is 1. Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
4 Command Line Interface mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword. Use the no form to restore the default settings.
Multicast Filtering Commands 4 • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
4 Command Line Interface Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Multicast Filtering Commands Table 4-93 4 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. Immediate Leave Shows if immediate leave is enabled or disabled.
4 Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
IP Interface Commands 4 • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch.
4 Command Line Interface Related Commands show ip redirects (4-341) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
IP Interface Commands 4 Related Commands show ip redirects (4-341) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-339) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host.
4 Command Line Interface - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press to stop pinging. Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.
Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), MAC Authentication, Web Authentication, HTTPS, SSH General Security Measures Access Control Lists (IP, MAC - 100 rules), Port Authentication (802.
A Software Specifications CoS configured by port or VLAN tag Layer 3/4 priority mapping: IP DSCP Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client Link Layer Discovery Protocol SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Managemen
Management Information Bases A Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging IEEE 802.3af-2003 Power over Ethernet (PoE) DHCP Client (RFC 2131) DHCP Options (RFC 2132) HTTPS IGMPv1 (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
A Software Specifications SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013) A-4
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary DHCP Snooping A technique used to enhance network security by snooping on DHCP server messages to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible. DHCP Option 82 A relay option for sending information about the requesting client (or an intermediate relay agent) in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Glossary IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks. The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value. IEEE 802.
Glossary one of the devices is made the “querier” and assumes responsibility for keeping track of group membership. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Multicast VLAN Registration A method of using a single network-wide multicast VLAN to transmit common services, such as such as television channels or video-on-demand, across a service-provider’s network.
Glossary Power over Ethernet The IEEE 802.3af standard for providing Power over Ethernet (PoE) capabilities. When Ethernet is passed over copper cable, two twisted pairs are used for data transfer, and two twisted pairs are unused. With PoE, power can either be passed over the two data pairs or over the two spare pairs. Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN.
Glossary Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Spanning Tree Algorithm (STA) A technology that checks your network for any loops.
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index Numerics 802.1Q tunnel 3-197, 4-254 configuration, guidelines 3-200, 4-254 configuration, limitations 3-200 description 3-197 ethernet type 3-201, 4-256 interface configuration 3-201, 3-202, 4-255–4-256 mode selection 3-202, 4-255 status, configuring 3-201, 4-255 TPID 3-201, 4-256 uplink 3-202, 4-255 802.1X, port authentication 3-89, 4-131 802.1X, port authentication accounting 3-71, 4-114 A AAA 802.
Index queue mapping 3-230, 4-301 queue mode 3-232, 4-299 traffic class weights 3-233 D default gateway, configuration 3-17, 4-339 default priority, ingress port 3-228, 4-300 default settings, system 1-6 DHCP 3-19, 4-338 client 3-17, 4-338 dynamic configuration 2-5 snooping 3-115, 4-158 DHCP snooping enabling 3-117, 4-159 global configuration 3-117, 4-159 information option, enabling 3-119, 4-163 policy selection 3-119, 4-164 specifying trusted interfaces 3-120, 4-161 verifying MAC addresses 3-117, 4-162 VL
Index filtering/throttling, interface settings 3-261, 4-328–4-329 groups, displaying 3-256, 4-319 immediate leave, status 3-253, 4-318 Layer 2 3-250, 4-315 query 3-250, 4-320 query, Layer 2 3-251, 4-320 snooping 3-250, 4-316 snooping & query, parameters 3-251 snooping, configuring 3-251, 4-315 IGMP snooping immediate leave 3-253, 4-318 leave proxy 4-317 importing user public keys 3-85 ingress filtering 3-195, 4-249 IP address BOOTP/DHCP 3-19, 4-338, 4-340 setting 2-4, 3-17, 4-338 IP source guard 3-122, 4-16
Index TLV, PoE 3-217, 4-291 TLV, port capabilities 3-217, 4-293 logging syslog traps 3-30, 4-52 to syslog servers 3-30, 4-51 log-in, Web interface 3-2 logon authentication 3-57, 4-95 encryption key, configuring secret text string 3-64, 4-102, 4-106 RADIUS client 3-59, 4-100 RADIUS encryption key, configuring secret text string 3-64, 4-102 RADIUS server 3-59, 4-100 TACACS+ client 3-59, 4-104 TACACS+ encryption key, configuring secret text string 3-64, 4-106 TACACS+ server 3-59, 4-104 logon authentication, se
Index priority 3-158, 4-208 showing mainpower 3-156, 4-210 port priority configuring 3-228, 4-299 default ingress 3-228, 4-300 STA 3-174, 4-230 port security, configuring 3-98, 4-143 port, statistics 3-150, 4-192 ports autonegotiation 3-130, 4-184 broadcast storm threshold 3-146, 4-189 capabilities 3-130, 4-185 duplex mode 3-130, 4-183 flow control 3-130, 4-186 forced selection on combo ports 3-131, 4-187 Gigabit PHY Mode 3-130, 4-188 multicast storm threshold 4-189 speed 3-130, 4-183 unknown unicast storm
Index group configuration 3-52, 4-91 remote user configuration 3-50, 4-93 user configuration 3-48, 3-50, 4-93 views 3-55, 4-89 software displaying version 3-14, 4-32 downloading 3-22, 4-35 Spanning Tree Protocol See STA specifications, software A-1 SSH 3-80, 4-122 server, configuring 3-87, 4-124 SSH, configuring 3-80, 4-122 SSL, replacing certificate 3-79 STA 3-162, 4-218 BPDU flooding 3-169, 3-176 edge port 3-174, 3-177, 4-231 global settings, configuring 3-168, 4-219–4-232 global settings, displaying 3-16
Index adding static members 3-192, 3-194, 4-251 creating 3-190, 4-246 description 3-184, 3-213 displaying basic information 3-188, 4-242 displaying port members 3-189, 4-253 dynamic assignment 3-105, 4-147 egress mode 3-196, 4-248 interface configuration 3-195, 4-248–4-252 private 3-206, 4-262 protocol 3-211, 4-267, 4-268 protocol, binding to interfaces 3-213, 4-268 protocol, configuring groups 3-212, 4-268 voice 3-244, 4-270 voice VLAN 3-244, 4-270 voice VLANs 3-244, 4-270 detecting VoIP devices 3-244, 4-2
Index Index-8
ES3528M-PoE E112008/ST-R01 149100041600A
