ECS3510-26P 26-Port Fast Ethernet Layer 2 Switch Management Guide www.edge-core.
M ANAGEMENT G U I D E ECS3510-28P GIGABIT ETHERNET SWITCH Layer 2 Managed Switch with 24 10/100BASE-TX (RJ-45) PoE Ports, and 2 Gigabit SFP Ports ECS3510-26P E022019-CS-R02 149100000220A
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment.
ABOUT THIS GUIDE DOCUMENTATION This documentation is provided for general information purposes only. If NOTICE any product feature details in this documentation conflict with the product datasheet, refer to the datasheet for the latest information. REVISION HISTORY This section summarizes the changes in each revision of this guide. FEBRUARY 2019 REVISION This is the second version of this guide. This guide is valid for software release v1.0.0.0.
CONTENTS SECTION I ABOUT THIS GUIDE 5 CONTENTS 7 FIGURES 33 TABLES 43 GETTING STARTED 49 1 INTRODUCTION 51 Key Features 51 Description of Software Features 52 System Defaults 57 2 INITIAL SWITCH CONFIGURATION Connecting to the Switch 61 Configuration Options 61 Required Connections 62 Remote Connections 63 Basic Configuration 64 Console Connection 64 Setting Passwords 64 Setting an IP Address 65 Downloading a Configuration File Referenced by a DHCP Server 71 Enabling SN
CONTENTS Home Page 82 Configuration Options 83 Panel Display 83 Main Menu 84 4 BASIC MANAGEMENT TASKS 97 Displaying System Information 97 Displaying Hardware/Software Versions 98 Configuring Support for Jumbo Frames 100 Displaying Bridge Extension Capabilities 101 Managing System Files 102 Copying Files via FTP/TFTP or HTTP 102 Saving the Running Configuration to a Local File 104 Setting The Start-Up File 105 Showing System Files 106 Automatic Operation Code Upgrade 107 Settin
CONTENTS Configuring a Static Trunk 145 Configuring a Dynamic Trunk 147 Displaying LACP Port Counters 153 Displaying LACP Settings and Status for the Local Side 154 Displaying LACP Settings and Status for the Remote Side 156 Configuring Trunk Mirroring 158 Saving Power 159 Traffic Segmentation 161 Enabling Traffic Segmentation 161 Configuring Uplink and Downlink Ports 162 VLAN Trunking 163 6 VLAN CONFIGURATION 167 IEEE 802.
CONTENTS Configuring Interface Settings for STA 213 Displaying Interface Settings for STA 217 Configuring Multiple Spanning Trees 220 Configuring Interface Settings for MSTP 223 9 CONGESTION CONTROL 227 Rate Limiting 227 Storm Control 229 Automatic Traffic Control 232 Setting the ATC Timers 233 Configuring ATC Thresholds and Responses 235 10 CLASS OF SERVICE 239 Layer 2 Queue Settings 239 Setting the Default Priority for Interfaces 239 Selecting the Queue Mode 240 Mapping CoS Va
CONTENTS Web Authentication 294 Configuring Global Settings for Web Authentication 294 Configuring Interface Settings for Web Authentication 295 Network Access (MAC Address Authentication) 296 Configuring Global Settings for Network Access 299 Configuring Network Access for Ports 300 Configuring Port Link Detection 302 Configuring a MAC Address Filter 303 Displaying Secure MAC Address Information 305 Configuring HTTPS 306 Configuring Global Settings for HTTPS 306 Replacing the Default
CONTENTS Displaying 802.
CONTENTS Remote Monitoring 420 Configuring RMON Alarms 420 Configuring RMON Events 423 Configuring RMON History Samples 425 Configuring RMON Statistical Samples 428 Switch Clustering 430 Configuring General Settings for Clusters 431 Cluster Member Configuration 432 Managing Cluster Members 434 Setting A Time Range 435 15 IP CONFIGURATION 439 Using the Ping Function 439 Address Resolution Protocol 441 Setting the ARP Timeout 441 Displaying ARP Entries 442 Setting the Switch’s I
CONTENTS Setting IGMP Snooping Status per Interface 482 Displaying Multicast Groups Discovered by IGMP Snooping 487 Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling 488 Configuring IGMP Filter Profiles 489 Configuring IGMP Filtering and Throttling for Interfaces 492 Multicast VLAN Registration SECTION III 488 493 Configuring Global MVR Settings 495 Configuring MVR Interface Status 496 Assigning Static MVR Multicast Groups to Interfaces 498 Displaying MVR Recei
CONTENTS quit 520 show history 520 configure 521 disable 522 reload (Privileged Exec) 522 show reload 523 end 523 exit 523 20 SYSTEM MANAGEMENT COMMANDS Device Designation 525 525 hostname 526 System Status 526 show access-list tcam-utilization 527 show memory 527 show process cpu 528 show running-config 528 show startup-config 529 show system 530 show tech-support 531 show users 531 show version 532 Frame Size 533 jumbo frame 533 File Management 534 General Co
CONTENTS databits 545 exec-timeout 546 login 547 parity 548 password 548 password-thresh 549 silent-time 550 speed 550 stopbits 551 timeout login response 552 disconnect 552 terminal 553 show line 554 Event Logging 555 logging facility 555 logging history 556 logging host 557 logging on 557 logging trap 558 clear log 558 show log 559 show logging 560 SMTP Alerts 561 logging sendmail 561 logging sendmail host 562 logging sendmail level 563 logging sendmail
CONTENTS Manual Configuration Commands 568 clock summer-time 568 clock timezone 569 clock timezone-predefined 570 calendar set 571 show calendar 571 Time Range 572 time-range 572 absolute 573 periodic 574 show time-range 575 Switch Clustering 575 cluster 576 cluster commander 577 cluster ip-pool 578 cluster member 578 rcommand 579 show cluster 579 show cluster members 580 show cluster candidates 580 21 SNMP COMMANDS 581 General SNMP Commands 582 snmp-server 582
CONTENTS show snmp group 594 show snmp user 595 show snmp view 596 Notification Log Commands 596 nlm 596 snmp-server notify-filter 597 show nlm oper-status 598 show snmp notify-filter 599 22 REMOTE MONITORING COMMANDS 601 rmon alarm 602 rmon event 603 rmon collection history 604 rmon collection rmon1 605 show rmon alarms 606 show rmon events 606 show rmon history 606 show rmon statistics 607 23 AUTHENTICATION COMMANDS 609 User Accounts 609 enable password 610 usernam
CONTENTS show tacacs-server AAA 620 621 aaa accounting commands 621 aaa accounting dot1x 622 aaa accounting exec 623 aaa accounting update 624 aaa authorization exec 625 aaa group server 626 server 626 accounting dot1x 627 accounting exec 627 authorization exec 628 show accounting 628 Web Server 629 ip http port 630 ip http server 630 ip http secure-port 631 ip http secure-server 631 Telnet Server 633 ip telnet max-sessions 633 ip telnet port 634 ip telnet server 63
CONTENTS General Commands 646 dot1x default 646 dot1x eapol-pass-through 646 dot1x system-auth-control 647 Authenticator Commands 647 dot1x intrusion-action 647 dot1x max-req 648 dot1x operation-mode 649 dot1x port-control 650 dot1x re-authentication 650 dot1x timeout quiet-period 651 dot1x timeout re-authperiod 651 dot1x timeout supp-timeout 652 dot1x timeout tx-period 652 dot1x re-authenticate 653 Supplicant Commands 654 dot1x identity profile 654 dot1x max-start 654 d
CONTENTS network-access guest-vlan 671 network-access link-detection 671 network-access link-detection link-down 672 network-access link-detection link-up 672 network-access link-detection link-up-down 673 network-access max-mac-count 674 network-access mode mac-authentication 674 network-access port-mac-filter 675 mac-authentication intrusion-action 676 mac-authentication max-mac-count 676 clear network-access 677 show network-access 677 show network-access mac-address-table 678
CONTENTS IP Source Guard 694 ip source-guard binding 694 ip source-guard 696 ip source-guard max-binding 697 show ip source-guard 698 show ip source-guard binding 698 ARP Inspection 699 ip arp inspection 700 ip arp inspection filter 701 ip arp inspection log-buffer logs 702 ip arp inspection validate 703 ip arp inspection vlan 703 ip arp inspection limit 704 ip arp inspection trust 705 show ip arp inspection configuration 706 show ip arp inspection interface 706 show ip arp
CONTENTS access-list arp 723 permit, deny (ARP ACL) 724 show arp access-list 725 ACL Information 726 show access-group 726 show access-list 726 26 INTERFACE COMMANDS 729 Interface Configuration 730 interface 730 alias 731 capabilities 731 description 732 flowcontrol 733 giga-phy-mode 734 negotiation 735 shutdown 736 speed-duplex 736 switchport packet-rate 737 clear counters 739 show interfaces brief 739 show interfaces counters 740 show interfaces status 741 show
CONTENTS lacp port-priority 753 lacp system-priority 754 lacp admin-key (Port Channel) 755 Trunk Status Display Commands 756 show lacp 756 28 PORT MIRRORING COMMANDS 761 Local Port Mirroring Commands 761 port monitor 761 show port monitor 763 RSPAN Mirroring Commands 764 rspan source 765 rspan destination 766 rspan remote vlan 767 no rspan session 768 show rspan 769 29 RATE LIMIT COMMANDS 771 rate-limit 771 30 AUTOMATIC TRAFFIC CONTROL COMMANDS Threshold Commands 773 776
CONTENTS ATC Display Commands 786 show auto-traffic-control 786 show auto-traffic-control interface 786 31 ADDRESS TABLE COMMANDS 789 mac-address-table aging-time 789 mac-address-table static 790 clear mac-address-table dynamic 791 show mac-address-table 791 show mac-address-table aging-time 792 show mac-address-table count 793 32 SPANNING TREE COMMANDS 795 spanning-tree 796 spanning-tree cisco-prestandard 797 spanning-tree forward-time 797 spanning-tree hello-time 798 spannin
CONTENTS spanning-tree mst port-priority 814 spanning-tree port-priority 815 spanning-tree root-guard 815 spanning-tree spanning-disabled 816 spanning-tree loopback-detection release 817 spanning-tree protocol-migration 817 show spanning-tree 818 show spanning-tree mst configuration 820 33 VLAN COMMANDS 821 GVRP and Bridge Extension Commands 822 bridge-ext gvrp 822 garp timer 823 switchport forbidden vlan 824 switchport gvrp 824 show bridge-ext 825 show garp timer 825 show g
CONTENTS traffic-segmentation 840 show traffic-segmentation 841 Configuring Protocol-based VLANs 842 protocol-vlan protocol-group (Configuring Groups) 843 protocol-vlan protocol-group (Configuring Interfaces) 843 show protocol-vlan protocol-group 844 show interfaces protocol-vlan protocol-group 845 Configuring IP Subnet VLANs 846 subnet-vlan 846 show subnet-vlan 847 Configuring MAC Based VLANs 848 mac-vlan 848 show mac-vlan 849 Configuring Voice VLANs 849 voice vlan 850 voice
CONTENTS show qos map phb-queue 868 show qos map trust-mode 868 35 QUALITY OF SERVICE COMMANDS 869 class-map 870 description 871 match 872 rename 873 policy-map 873 class 874 police flow 875 police srtcm-color 877 police trtcm-color 879 set cos 881 set ip dscp 882 set phb 883 service-policy 884 show class-map 885 show policy-map 885 show policy-map interface 886 36 MULTICAST FILTERING COMMANDS IGMP Snooping 887 887 ip igmp snooping 889 ip igmp snooping proxy-report
CONTENTS ip igmp snooping vlan mrd 899 ip igmp snooping vlan proxy-address 900 ip igmp snooping vlan query-interval 901 ip igmp snooping vlan query-resp-intvl 902 ip igmp snooping vlan static 903 show ip igmp snooping 903 show ip igmp snooping mrouter 904 show ip igmp snooping group 905 Static Multicast Routing ip igmp snooping vlan mrouter IGMP Filtering and Throttling 906 906 907 ip igmp filter (Global Configuration) 907 ip igmp profile 908 permit, deny 909 range 909 ip igmp fil
CONTENTS lldp basic-tlv management-ip-address 927 lldp basic-tlv port-description 928 lldp basic-tlv system-capabilities 929 lldp basic-tlv system-description 929 lldp basic-tlv system-name 930 lldp dot1-tlv proto-ident 930 lldp dot1-tlv proto-vid 931 lldp dot1-tlv pvid 931 lldp dot1-tlv vlan-name 932 lldp dot3-tlv link-agg 932 lldp dot3-tlv max-frame 933 lldp med-location civic-addr 933 lldp med-notification 935 lldp med-tlv ext-poe 936 lldp med-tlv inventory 936 lldp med-tlv
CONTENTS DHCP Client 955 DHCP for IPv4 955 ip dhcp client class-id 955 ip dhcp restart client 956 DHCP for IPv6 957 ipv6 dhcp client rapid-commit vlan 957 ipv6 dhcp restart client vlan 958 show ip dhcp client-identifier 959 show ipv6 dhcp duid 959 show ipv6 dhcp vlan 960 40 IP INTERFACE COMMANDS IPv4 Interface 961 961 Basic IPv4 Configuration 962 ip address 962 ip default-gateway 963 show ip default-gateway 964 show ip interface 964 show ip traffic 965 traceroute 966 pin
CONTENTS show ipv6 mtu 982 show ipv6 traffic 983 clear ipv6 traffic 987 ping6 987 Neighbor Discovery SECTION IV 988 clear ipv6 neighbors 988 show ipv6 neighbors 989 APPENDICES 991 A SOFTWARE SPECIFICATIONS 993 Software Features 993 Management Features 994 Standards 995 Management Information Bases 995 B TROUBLESHOOTING 997 Problems Accessing the Management Interface 997 Using System Logs 998 C LICENSE INFORMATION 999 The GNU General Public License 999 GLOSSARY 1003 CO
FIGURES Figure 1: Home Page 82 Figure 2: Front Panel Indicators 83 Figure 3: System Information 98 Figure 4: General Switch Information 99 Figure 5: Configuring Support for Jumbo Frames 100 Figure 6: Displaying Bridge Extension Configuration 102 Figure 7: Copy Firmware 104 Figure 8: Saving the Running Configuration 105 Figure 9: Setting Start-Up Files 106 Figure 10: Displaying System Files 107 Figure 11: Configuring Automatic Code Upgrade 110 Figure 12: Manually Setting the System Clo
FIGURES Figure 32: Configuring Remote Port Mirroring (Source) 137 Figure 33: Configuring Remote Port Mirroring (Intermediate) 138 Figure 34: Configuring Remote Port Mirroring (Destination) 138 Figure 35: Showing Port Statistics (Table) 141 Figure 36: Showing Port Statistics (Chart) 142 Figure 37: Performing Cable Tests 144 Figure 38: Configuring Static Trunks 145 Figure 39: Creating Static Trunks 146 Figure 40: Configuring Connection Parameters for a Static Trunk 147 Figure 41: Showing In
FIGURES Figure 68: Showing Dynamic VLANs Registered on the Switch 178 Figure 69: Showing the Members of a Dynamic VLAN 178 Figure 70: QinQ Operational Concept 180 Figure 71: Enabling QinQ Tunneling 184 Figure 72: Adding an Interface to a QinQ Tunnel 185 Figure 73: Configuring Protocol VLANs 187 Figure 74: Displaying Protocol VLANs 187 Figure 75: Assigning Interfaces to Protocol VLANs 188 Figure 76: Showing the Interface to Protocol Group Mapping 189 Figure 77: Configuring IP Subnet VLANs
FIGURES Figure 104: Displaying Members of an MST Instance 222 Figure 105: Configuring MSTP Interface Settings 224 Figure 106: Displaying MSTP Interface Settings 225 Figure 107: Configuring Rate Limits 229 Figure 108: Configuring Storm Control 231 Figure 109: Storm Control by Limiting the Traffic Rate 232 Figure 110: Storm Control by Shutting Down a Port 233 Figure 111: Configuring ATC Timers 234 Figure 112: Configuring ATC Interface Attributes 237 Figure 113: Setting the Default Port Prio
FIGURES Figure 140: Configuring Remote Authentication Server (TACACS+) 282 Figure 141: Configuring AAA Server Groups 282 Figure 142: Showing AAA Server Groups 283 Figure 143: Configuring Global Settings for AAA Accounting 285 Figure 144: Configuring AAA Accounting Methods 286 Figure 145: Showing AAA Accounting Methods 286 Figure 146: Configuring AAA Accounting Service for 802.
FIGURES Figure 176: Configuring a MAC ACL 326 Figure 177: Configuring a ARP ACL 328 Figure 178: Binding a Port to an ACL 329 Figure 179: Configuring Global Settings for ARP Inspection 333 Figure 180: Configuring VLAN Settings for ARP Inspection 334 Figure 181: Configuring Interface Settings for ARP Inspection 335 Figure 182: Displaying Statistics for ARP Inspection 337 Figure 183: Displaying the ARP Inspection Log 338 Figure 184: Creating an IP Address Filter for Management Access 339 Fig
FIGURES Figure 212: Showing the Civic Address for an LLDP Interface 384 Figure 213: Displaying Local Device Information for LLDP (General) 386 Figure 214: Displaying Local Device Information for LLDP (Port) 386 Figure 215: Displaying Remote Device Information for LLDP (Port) 391 Figure 216: Displaying Remote Device Information for LLDP (Port Details) 391 Figure 217: Displaying LLDP Device Statistics (General) 393 Figure 218: Displaying LLDP Device Statistics (Port) 393 Figure 219: Showing the
FIGURES Figure 248: Configuring an RMON Statistical Sample 429 Figure 249: Showing Configured RMON Statistical Samples 429 Figure 250: Showing Collected RMON Statistical Samples 430 Figure 251: Configuring a Switch Cluster 432 Figure 252: Configuring a Cluster Members 433 Figure 253: Showing Cluster Members 433 Figure 254: Showing Cluster Candidates 434 Figure 255: Managing a Cluster Member 435 Figure 256: Setting the Name of a Time Range 436 Figure 257: Showing a List of Time Ranges 436
FIGURES Figure 284: Configuring a Static Interface for a Multicast Router 479 Figure 285: Showing Static Interfaces Attached a Multicast Router 479 Figure 286: Showing Current Interfaces Attached a Multicast Router 479 Figure 287: Assigning an Interface to a Multicast Service 481 Figure 288: Showing Static Interfaces Assigned to a Multicast Service 481 Figure 289: Showing Current Interfaces Assigned to a Multicast Service 481 Figure 290: Configuring IGMP Snooping on an Interface 486 Figure 29
FIGURES – 42 –
TABLES Table 1: Key Features 51 Table 2: System Defaults 57 Table 3: Options 60, 66 and 67 Statements 71 Table 4: Options 55 and 124 Statements 72 Table 5: Web Page Configuration Buttons 83 Table 6: Switch Main Menu 84 Table 7: Port Statistics 139 Table 8: LACP Port Counters 153 Table 9: LACP Internal Configuration Information 154 Table 10: LACP Remote Device Configuration Information 156 Table 11: Recommended STA Path Cost Range 215 Table 12: Default STA Path Costs 215 Table 13: Ef
TABLES Table 32: Supported Notification Messages 406 Table 33: Address Resolution Protocol 441 Table 34: Show IPv6 Neighbors - display description 454 Table 35: Show IPv6 Statistics - display description 456 Table 36: Show MTU - display description 461 Table 37: General Command Modes 510 Table 38: Configuration Command Modes 512 Table 39: Keystroke Commands 513 Table 40: Command Group Index 514 Table 41: General Commands 517 Table 42: System Management Commands 525 Table 43: Device De
TABLES Table 68: TACACS+ Client Commands 618 Table 69: AAA Commands 621 Table 70: Web Server Commands 629 Table 71: HTTPS System Support 632 Table 72: Telnet Server Commands 633 Table 73: Secure Shell Commands 635 Table 74: show ssh - display description 644 Table 75: 802.
TABLES Table 104: Address Table Commands 789 Table 105: Spanning Tree Commands 795 Table 106: Recommended STA Path Cost Range 808 Table 107: Default STA Path Costs 808 Table 108: VLAN Commands 821 Table 109: GVRP and Bridge Extension Commands 822 Table 110: Commands for Editing VLAN Groups 827 Table 111: Commands for Configuring VLAN Interfaces 829 Table 112: Commands for Displaying VLAN Information 835 Table 113: 836 802.
TABLES Table 140: DHCP Client Commands 955 Table 141: IP Interface Commands 961 Table 142: IPv4 Interface Commands 961 Table 143: Basic IP Configuration Commands 962 Table 144: Address Resolution Protocol Commands 968 Table 145: IPv6 Configuration Commands 970 Table 146: show ipv6 interface - display description 980 Table 147: show ipv6 mtu - display description 982 Table 148: show ipv6 mtu - display description 982 Table 149: show ipv6 traffic - display description 984 Table 150: show
TABLES – 48 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 50 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 256 using IEEE 802.
CHAPTER 1 | Introduction Description of Software Features Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access. MAC address filtering and IP source guard also provide authentication for port access. While DHCP snooping is provided to prevent malicious attacks from insecure ports.
CHAPTER 1 | Introduction Description of Software Features STATIC MAC A static address can be assigned to a specific interface on this switch. ADDRESSES Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.
CHAPTER 1 | Introduction Description of Software Features even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). VIRTUAL LANS The switch supports up to 256 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
CHAPTER 1 | Introduction Description of Software Features to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.
CHAPTER 1 | Introduction System Defaults SYSTEM DEFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Rate Limiting Disabled Storm Control Broadc
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
CHAPTER 1 | Introduction System Defaults – 60 –
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. CONNECTING TO THE SWITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a webbased interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). NOTE: An IPv4 address for this switch is obtained via DHCP by default.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 256 IEEE 802.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch ■ Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows keys. NOTE: Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see "Using the Command Line Interface" on page 505.
CHAPTER 2 | Initial Switch Configuration Basic Configuration BASIC CONFIGURATION CONSOLE The CLI program provides two different command levels — normal access CONNECTION level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
CHAPTER 2 | Initial Switch Configuration Basic Configuration Username: admin Password: CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# SETTING AN IP You must establish IP address information for the switch to obtain ADDRESS management access through the network.
CHAPTER 2 | Initial Switch Configuration Basic Configuration To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press . 3. Type “exit” to return to the global configuration mode prompt. Press . 4.
CHAPTER 2 | Initial Switch Configuration Basic Configuration example, followed by the “link-local” command parameter. Then press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration 3. Type “exit” to return to the global configuration mode prompt. Press . 4. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. At the interface-configuration mode prompt, use one of the following commands: ■ To obtain IP settings via DHCP, type “ip address dhcp” and press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): (None) Joined group address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration Console# DOWNLOADING A CONFIGURATION FILE REFERENCED BY A DHCP SERVER Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed.
CHAPTER 2 | Initial Switch Configuration Basic Configuration DHCP client request sent by this switch includes a “parameter request list” asking for this information. Besides, the client request also includes a “vendor class identifier” that allows the DHCP server to identify the device, and select the appropriate configuration file for download. This information is included in Option 55 and 124.
CHAPTER 2 | Initial Switch Configuration Basic Configuration ENABLING SNMP The switch can be configured to accept management commands from MANAGEMENT ACCESS Simple Network Management Protocol (SNMP) applications such as EdgeCore ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
CHAPTER 2 | Initial Switch Configuration Basic Configuration Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# NOTE: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
CHAPTER 2 | Initial Switch Configuration Managing System Files Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to "Simple Network Management Protocol" on page 397, or refer to the specific CLI commands for SNMP starting on page 581.
CHAPTER 2 | Initial Switch Configuration Managing System Files to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. SAVING OR Configuration commands only modify the running configuration file and are RESTORING not saved when the switch is rebooted.
CHAPTER 2 | Initial Switch Configuration Managing System Files Console#copy file startup-config Console#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success.
CHAPTER 2 | Initial Switch Configuration Managing System Files – 78 –
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration – 80 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above). NOTE: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface NOTE: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. NOTE: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 5: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, and RMON port statistics 138 Chart Shows Interface, Etherlike, and RMON port statistics 138 Cable Test Performs cable diagnostics for selected port to diagnose any cable 142 faults (short, open etc.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Configure Session VLAN Trunking Page Configures the uplink and down-link ports for a segmented group 162 of ports Allows unknown VLAN groups to pass through the specified interface 163 Virtual LAN 167 Configure VLAN Configures VLAN groups, administrative status, and remote type 170 Modify VLAN and Member Ports Configures group name, status, and member attributes 171
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MAC Address 195 Static 195 Add Configures static entries in the address table 195 Show Displays static entries in the address table 195 Configure Aging Sets timeout for dynamically learned entries 197 Show Dynamic MAC Displays dynamic entries in the address table 198 Clear Dynamic MAC Removes any learned entries from the forwarding database and clears the
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Auto Traffic Control Description Page Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port 229 Configure Global Sets the time to apply the control response after traffic has 233 exceeded the upper threshold, and the time to release the control response after traffic has fallen beneath the lower threshold Configure
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu VoIP Configure Global Description Page Voice over IP 269 Configures auto-detection of VoIP traffic, sets the Voice VLAN, and 270 VLAN aging time Configure OUI 271 Add Maps the OUI in the source MAC address of ingress packets to the 271 VoIP device manufacturer Show Shows the OUI telephony list 271 Configures VoIP traffic settings for ports, including the way in which a port is ad
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Information Description Page Shows the configured authorization methods, and the methods applied to specific interfaces 289 User Accounts 292 Add Configures user names, passwords, and access levels 292 Show Shows authorized users 292 Modify Modifies user attributes 292 Allows authentication and access to the network when 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Rule Configures packet filtering based on IP or MAC addresses and other 319 packet attributes Show Rule Shows the rules specified for an ACL 319 Binds a port to the specified ACL and time range 328 Configure Interface ARP Inspection 330 Configure General Enables inspection globally, configures validation of additional address components, and sets the log rate
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Remote Configures the logging of messages to a remote logging process 372 SMTP Sends an SMTP client message to a participating server 373 Configures a list of recipient SMTP servers 373 Add Adds a recipient SMTP server 373 Show Shows configured SMTP servers 373 Sets SMTP status, e-mail source and destination addresses 373 Configure Server Configure General
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure View 402 Add View Adds an SNMP v3 view of the OID MIB 402 Show View Shows configured SNMP v3 views 402 Add OID Subtree Specifies a part of the subtree for the selected view 402 Show OID Subtree Shows the subtrees assigned to each view 402 Configure Group 405 Add Adds a group with access policies for assigned users 405 Show Shows configured gro
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page History Shows sampled data for each entry in the history group 425 Statistics Shows sampled data for each entry in the history group 428 Show Details Cluster Configure Global 430 Globally enables clustering for the switch; sets Commander status 431 Configure Member Add Adds switch Members to the cluster 432 Show Candidate Shows cluster candidates 432 Shows c
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IP Service DNS 463 Domain Name Service General 463 Configure Global Enables DNS lookup; defines the default domain name appended 463 to incomplete host names Add Domain Name Defines a list of domain names that can be appended to incomplete host names 464 Show Domain Names Shows the configured domain name list 464 Add Name Server Specifies IP address of name se
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Forwarding Entry Description Page Shows IGMP snooping settings per VLAN interface 482 Displays the current multicast groups learned through IGMP Snooping 487 Filter Configure General 488 Enables IGMP filtering for the switch Configure Profile 488 489 Add Adds IGMP filter profile; and sets access mode 489 Show Shows configured IGMP filter profiles 489 Add Multicast Group
4 BASIC MANAGEMENT TASKS This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
CHAPTER 4 | Basic Management Tasks Displaying Hardware/Software Versions PARAMETERS These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up. ◆ System Name – Name assigned to the switch system. ◆ System Location – Specifies the system location. ◆ System Contact – Administrator responsible for the system.
CHAPTER 4 | Basic Management Tasks Displaying Hardware/Software Versions PARAMETERS The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board. ◆ Internal Power Status – Displays the status of the internal power supply. Management Software Information ◆ Role – Shows that this switch is operating as Master or Slave.
CHAPTER 4 | Basic Management Tasks Configuring Support for Jumbo Frames CONFIGURING SUPPORT FOR JUMBO FRAMES Use the System > Capability page to configure support for Layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet. Compared to standard Ethernet frames that run only up to 1.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities DISPLAYING BRIDGE EXTENSION CAPABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
CHAPTER 4 | Basic Management Tasks Managing System Files WEB INTERFACE To view Bridge Extension information: 1. Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. COPYING FILES VIA Use the System > File (Copy) page to upload/download firmware or FTP/TFTP OR HTTP configuration settings using FTP, TFTP or HTTP.
CHAPTER 4 | Basic Management Tasks Managing System Files PARAMETERS The following parameters are displayed: ◆ Copy Type – The firmware copy operation includes these options: ■ FTP Upgrade – Copies a file from an FTP server to the switch. ■ FTP Download – Copies a file from the switch to an FTP server. ■ HTTP Upgrade – Copies a file from a management station to the switch.
CHAPTER 4 | Basic Management Tasks Managing System Files 4. If FTP or TFTP Upgrade is used, enter the IP address of the file server. 5. If FTP Upgrade is used, enter the user name and password for your account on the FTP server. 6. Set the file type to Operation Code or Loader. 7. Enter the name of the file to download. 8. Select a file on the switch to overwrite or specify a new file name. 9. Then click Apply.
CHAPTER 4 | Basic Management Tasks Managing System Files the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) NOTE: The maximum number of user-defined configuration files is limited only by available flash memory space. WEB INTERFACE To save the running configuration file: 1. Click System, then File. 2. Select Copy from the Action list. 3.
CHAPTER 4 | Basic Management Tasks Managing System Files 3. Mark the operation code or configuration file to be used at startup 4. Then click Apply. Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. SHOWING SYSTEM Use the System > File (Show) page to show the files in the system FILES directory, or to delete a file. NOTE: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted.
CHAPTER 4 | Basic Management Tasks Managing System Files Figure 10: Displaying System Files AUTOMATIC Use the System > File (Automatic Operation Code Upgrade) page to OPERATION CODE automatically download an operation code file when a file newer than the UPGRADE currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
CHAPTER 4 | Basic Management Tasks Managing System Files ◆ The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept ECS4110-24T_OP.BIX from the server even though ECS4110-24T_Op.bix was requested). However, keep in mind that the file systems of many operating systems such as Unix and most Unixlike systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions, etc.
CHAPTER 4 | Basic Management Tasks Managing System Files must not be included since it is automatically appended by the switch. (Options: ftp, tftp) The following syntax must be observed: tftp://host[/filedir]/ ■ tftp:// – Defines TFTP protocol for the server connection. ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized.
CHAPTER 4 | Basic Management Tasks Managing System Files The image file is in the “switch-opcode” directory, relative to the TFTP root. ■ tftp://192.168.0.1/switches/opcode/ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.
CHAPTER 4 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.0.1.5; new version 1.1.2.0 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
CHAPTER 4 | Basic Management Tasks Setting the System Clock ◆ Day – Sets the day of the month. (Range: 1-31) ◆ Year – Sets the year. (Range: 1970-2037) WEB INTERFACE To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manually from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
CHAPTER 4 | Basic Management Tasks Setting the System Clock 3. Select SNTP from the Maintain Type list. 4. Modify the polling interval if required. 5. Click Apply Figure 13: Setting the Polling Interval for SNTP SPECIFYING SNTP Use the System > Time (Configure Time Server) page to specify the IP TIME SERVERS address for up to three SNTP time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 14: Specifying SNTP Time Servers SETTING THE TIME Use the System > Time (Configure Time Server) page to set the time zone. ZONE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
CHAPTER 4 | Basic Management Tasks Setting the System Clock WEB INTERFACE To set your local time zone: 1. Click System, then Time. 2. Select Configure Time Zone from the Action list. 3. Set the offset for your time zone relative to the UTC in hours and minutes using either a predefined or custom definition. 4. Click Apply.
CHAPTER 4 | Basic Management Tasks Setting the System Clock PARAMETERS The following parameters are displayed: ◆ Summer Time in Effect – Indicates whether or not Summer Time settings are currently is use. ◆ Status – Enables or disables Summer Time settings. ◆ Name – Name of the time zone while Summer Time is in effect, usually an acronym. (Range: 1-30 characters) ◆ Mode (Date) – Sets the start, end, and offset times of summer time on a one-time basis.
CHAPTER 4 | Basic Management Tasks Configuring the Console Port CONFIGURING THE CONSOLE PORT Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
CHAPTER 4 | Basic Management Tasks Configuring the Console Port NOTE: Due to a hardware limitation, the terminal program connected to the console port must be set to 8 data bits when using Auto baud rate detection. NOTE: The password for the console connection can only be configured through the CLI (see "password" on page 548). NOTE: Password checking can be enabled or disabled for logging in to the console connection (see "login" on page 547).
CHAPTER 4 | Basic Management Tasks Configuring Telnet Settings CONFIGURING TELNET SETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
CHAPTER 4 | Basic Management Tasks Displaying CPU Utilization WEB INTERFACE To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3. Click Apply Figure 18: Telnet Connection Settings DISPLAYING CPU UTILIZATION Use the System > CPU Utilization page to display information on CPU utilization.
CHAPTER 4 | Basic Management Tasks Displaying Memory Utilization Figure 19: Displaying CPU Utilization DISPLAYING MEMORY UTILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI REFERENCES ◆ "show memory" on page 527 PARAMETERS The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory.
CHAPTER 4 | Basic Management Tasks Resetting the System WEB INTERFACE To display memory utilization: 1. Click System, then Memory Status. Figure 20: Displaying Memory Utilization RESETTING THE SYSTEM Use the System > Reload menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval.
CHAPTER 4 | Basic Management Tasks Resetting the System ◆ Refresh – Refreshes reload information. Changes made through the console or to system time may need to be refreshed to display the current settings. ◆ Cancel – Cancels the current settings shown in this field. System Reload Configuration ◆ Reload Mode – Restarts the switch immediately or at the specified time(s). ■ Immediately – Restarts the system immediately. ■ In – Specifies an interval after which to reload the switch.
CHAPTER 4 | Basic Management Tasks Resetting the System Save Current Settings ◆ Save – Click this button to save the current configuration settings. Use Factory Default Settings and Reboot ◆ Factory Default Settings & Reboot – Click this button to restore the factory default settings and reboot the system. WEB INTERFACE To restart the switch: 1. Click System, then Reload. 2. Select the required reload mode. 3. For any option other than to reset immediately, fill in the required parameters 4.
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 22: Restarting the Switch (In) Figure 23: Restarting the Switch (At) – 125 –
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 24: Restarting the Switch (Regularly) – 126 –
5 INTERFACE CONFIGURATION This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
CHAPTER 5 | Interface Configuration Port Configuration COMMAND USAGE ◆ Auto-negotiation must be disabled before you can configure or force an RJ-45 interface to use the Speed/Duplex mode or Flow Control options. ◆ When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities.
CHAPTER 5 | Interface Configuration Port Configuration ■ FC - Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for fullduplex operation.
CHAPTER 5 | Interface Configuration Port Configuration Figure 25: Configuring Connections by Port List CONFIGURING BY Use the Interface > Port > General (Configure by Port Range) page to PORT RANGE enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. For more information on command usage and a description of the parameters, refer to "Configuring by Port List" on page 127.
CHAPTER 5 | Interface Configuration Port Configuration Figure 26: Configuring Connections by Port Range DISPLAYING Use the Interface > Port > General (Show Information) page to display the CONNECTION STATUS current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. CLI REFERENCES ◆ "show interfaces status" on page 741 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type.
CHAPTER 5 | Interface Configuration Port Configuration WEB INTERFACE To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. Figure 27: Displaying Port Information CONFIGURING LOCAL Use the Interface > Port > Mirror page to mirror traffic from any source PORT MIRRORING port to a target port for real-time analysis.
CHAPTER 5 | Interface Configuration Port Configuration MAC Address Mirroring" on page 200), the target port cannot be set to the same target ports as that used for port mirroring by this command. ◆ When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring. ◆ Note that Spanning Tree BPDU packets are not mirrored to the target port.
CHAPTER 5 | Interface Configuration Port Configuration To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 30: Displaying Local Port Mirror Sessions CONFIGURING REMOTE Use the Interface > RSPAN page to mirror traffic from remote switches for PORT MIRRORING analysis at a destination port on the local switch.
CHAPTER 5 | Interface Configuration Port Configuration source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section). ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Use the VLAN Static List (see "Configuring VLAN Groups" on page 170) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN” field on this page. (Default VLAN 1 is prohibited.) 2.
CHAPTER 5 | Interface Configuration Port Configuration still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. ■ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Destination Port – Specifies the destination port2 to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Also note that a destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
CHAPTER 5 | Interface Configuration Port Configuration Figure 33: Configuring Remote Port Mirroring (Intermediate) Figure 34: Configuring Remote Port Mirroring (Destination) SHOWING PORT OR Use the Interface > Port/Trunk > Statistics or Chart page to display TRUNK STATISTICS standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
CHAPTER 5 | Interface Configuration Port Configuration CLI REFERENCES ◆ "show interfaces counters" on page 740 PARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets).
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Received Octet Rate Number of octets entering this interface in kbits per second. Received Packet Rate Number of packets entering this interface in packets per second. Received Utilization The input utilization rate for this interface. Transmitted Octet Rate Number of octets leaving this interface in kbits per second.
CHAPTER 5 | Interface Configuration Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
CHAPTER 5 | Interface Configuration Port Configuration COMMAND USAGE ◆ Cable diagnostics are performed using Time Domain Reflectometry (TDR) test methods. TDR analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. ◆ This cable test is only accurate for Gigabit Ethernet cables 0 - 250 meters long. ◆ The test takes approximately 5 seconds.
CHAPTER 5 | Interface Configuration Trunk Configuration WEB INTERFACE To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 37: Performing Cable Tests TRUNK CONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
CHAPTER 5 | Interface Configuration Trunk Configuration COMMAND USAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
CHAPTER 5 | Interface Configuration Trunk Configuration note that the static trunks on this switch are Cisco EtherChannel compatible. ◆ To avoid creating a loop in the network, be sure you add a static trunk via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the configuration interface. PARAMETERS These parameters are displayed: ◆ Trunk ID – Trunk identifier.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 40: Configuring Connection Parameters for a Static Trunk To show the static trunks configured on the switch: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
CHAPTER 5 | Interface Configuration Trunk Configuration COMMAND USAGE ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID.
CHAPTER 5 | Interface Configuration Trunk Configuration By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key. The Partner Admin Key is assigned to zero, and the Oper Key is set based upon LACP PDUs received from the Partner. ◆ System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
CHAPTER 5 | Interface Configuration Trunk Configuration WEB INTERFACE To configure the admin key for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregator from the Step list. 3. Set the Admin Key for the required LACP group. 4. Click Apply. Figure 43: Configuring the LACP Aggregator Admin Key To enable LACP for a port: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click General. 5.
CHAPTER 5 | Interface Configuration Trunk Configuration To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 45: Configuring LACP Parameters on a Port To configure the connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 46: Configuring Connection Parameters for a Dynamic Trunk To show the connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list. Figure 47: Showing Connection Parameters for Dynamic Trunks To show the port members of dynamic trunks: 1. Click Interface, Trunk, Dynamic. 2. Select Configure General from the Step list. 3.
CHAPTER 5 | Interface Configuration Trunk Configuration DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show PORT COUNTERS Information - Counters) page to display statistics for LACP protocol messages. CLI REFERENCES ◆ "show lacp" on page 756 PARAMETERS These parameters are displayed: Table 8: LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group.
CHAPTER 5 | Interface Configuration Trunk Configuration WEB INTERFACE To display LACP port counters: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Counters. 5. Select a group member from the Port list.
CHAPTER 5 | Interface Configuration Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner. ◆ Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.
CHAPTER 5 | Interface Configuration Trunk Configuration WEB INTERFACE To display LACP settings and status for the local side: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Internal. 5. Select a group member from the Port list.
CHAPTER 5 | Interface Configuration Trunk Configuration Table 10: LACP Remote Device Configuration Information (Continued) Parameter Description Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner.
CHAPTER 5 | Interface Configuration Trunk Configuration CONFIGURING TRUNK Use the Interface > Trunk > Mirror page to mirror traffic from any source MIRRORING trunk to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source trunk in a completely unobtrusive manner.
CHAPTER 5 | Interface Configuration Saving Power 2. Select Add from the Action List. 3. Specify the source trunk. 4. Specify the monitor port. 5. Specify the traffic type to be mirrored. 6. Click Apply. Figure 53: Configuring Trunk Mirroring To display the configured mirror sessions: 1. Click Interface, Trunk, Mirror. 2. Select Show from the Action List. Figure 54: Displaying Trunk Mirror Sessions SAVING POWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port.
CHAPTER 5 | Interface Configuration Saving Power Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity. ◆ The power-saving methods provided by this switch include: ■ Power saving when there is no link partner: Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists.
CHAPTER 5 | Interface Configuration Traffic Segmentation 3. Click Apply. Figure 55: Enabling Power Savings TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports. Data traffic on downlink ports is only forwarded to, and from, uplink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation Figure 56: Enabling Traffic Segmentation CONFIGURING UPLINK Use the Interface > Traffic Segmentation (Configure Session) page to AND DOWNLINK PORTS assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
CHAPTER 5 | Interface Configuration VLAN Trunking 4. Select Uplink or Downlink in the Direction list to add a group member. 5. Click Apply. Figure 57: Configuring Members for Traffic Segmentation VLAN TRUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
CHAPTER 5 | Interface Configuration VLAN Trunking in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see "Adding Static Members to VLANs" on page 171). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
CHAPTER 5 | Interface Configuration VLAN Trunking Figure 59: Configuring VLAN Trunking – 165 –
CHAPTER 5 | Interface Configuration VLAN Trunking – 166 –
6 VLAN CONFIGURATION This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 256 VLANs based on the IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame. Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 61: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 15 16 14 7 8 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Status – Enables or disables the specified VLAN. ◆ Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring Remote Port Mirroring" on page 134). WEB INTERFACE To create VLAN groups: 1. Click VLAN, Static. 2. Select Configure VLAN from the Action list. 3. Enter a VLAN ID or range of IDs. 4. Mark Enabled to configure the VLAN as operational. 5. Mark Remote VLAN to use it for RSPAN. 6. Click Add.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs PARAMETERS These parameters are displayed: Modify VLAN and Member Ports ◆ VLAN – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ Remote VLAN – Shows if RSPAN is enabled on this VLAN (see "Configuring VLAN Groups" on page 170. ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-26) ◆ Trunk – Trunk Identifier.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ ◆ Ingress Filtering – Determines how to process frames tagged for VLANs for which the ingress port is not a member. (Default: Disabled) ■ Ingress filtering only affects tagged frames. ■ If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs NOTE: The PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Modify VLAN and Member Ports or Edit Member by Interface page. WEB INTERFACE To configure static members by the VLAN index: 1. Click VLAN, Static. 2. Select Modify VLAN and Member Ports from the Action list. 3. Set the Interface type to display as Port or Trunk. 4.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 64: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs CONFIGURING Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to DYNAMIC VLAN enable GVRP and adjust the protocol timers per interface.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN – Show VLAN Member ◆ VLAN – Identifier of a VLAN this switch has joined through GVRP. ◆ Interface – Displays a list of ports or trunks which have joined the selected VLAN through GVRP.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 67: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 68: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q TUNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CHAPTER 6 | VLAN Configuration IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆ Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling ENABLING QINQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to TUNNELING ON THE operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing SWITCH Layer 2 traffic across a service provider’s metropolitan area network. You can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 71: Enabling QinQ Tunneling ADDING AN INTERFACE Follow the guidelines in the preceding section to set up a QinQ tunnel on TO A QINQ TUNNEL the switch. Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface. CLI REFERENCES ◆ "Configuring IEEE 802.
CHAPTER 6 | VLAN Configuration Protocol VLANs WEB INTERFACE To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply. Figure 72: Adding an Interface to a QinQ Tunnel PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
CHAPTER 6 | VLAN Configuration Protocol VLANs 3. Then map the protocol for each interface to the appropriate VLAN using the Configure Interface (Add) page. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. CONFIGURING Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol PROTOCOL VLAN groups.
CHAPTER 6 | VLAN Configuration Protocol VLANs 7. Click Apply. Figure 73: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 74: Displaying Protocol VLANs MAPPING PROTOCOL Use the VLAN > Protocol (Configure Interface - Add) page to map a GROUPS TO protocol group to a VLAN for each interface that will participate in the INTERFACES group.
CHAPTER 6 | VLAN Configuration Protocol VLANs ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-26) ◆ Trunk – Trunk Identifier.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 76: Showing the Interface to Protocol Group Mapping CONFIGURING IP SUBNET VLANS Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs ◆ The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. PARAMETERS These parameters are displayed: ◆ IP Address – The IP address for a subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs To show the configured IP subnet VLANs: 1. Click VLAN, IP Subnet. 2. Select Show from the Action list. Figure 78: Showing IP Subnet VLANs CONFIGURING MAC-BASED VLANS Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs ◆ Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority; Default: 0) WEB INTERFACE To map a MAC address to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Add from the Action list. 3. Enter an address in the MAC Address field. 4. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured. 5. Enter a value to assign to untagged frames in the Priority field.
CHAPTER 6 | VLAN Configuration Configuring VLAN Mirroring CONFIGURING VLAN MIRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
CHAPTER 6 | VLAN Configuration Configuring VLAN Mirroring WEB INTERFACE To configure VLAN mirroring: 1. Click VLAN, Mirror. 2. Select Add from the Action list. 3. Select the source VLAN, and select a target port. 4. Click Apply. Figure 81: Configuring VLAN Mirroring To show the VLANs to be mirrored: 1. Click VLAN, Mirror. 2. Select Show from the Action list.
7 ADDRESS TABLE SETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ Static MAC Addresses – Configures static entries in the address table.
CHAPTER 7 | Address Table Settings Setting Static Addresses PARAMETERS These parameters are displayed: ◆ VLAN – ID of configured VLAN. (Range: 1-4093) ◆ Interface – Port or trunk associated with the device assigned a static address. ◆ MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. ◆ Static Status – Sets the time to retain the specified address. ■ Delete-on-reset - Assignment lasts until the switch is reset.
CHAPTER 7 | Address Table Settings Changing the Aging Time Figure 84: Displaying Static MAC Addresses CHANGING THE AGING TIME Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. CLI REFERENCES ◆ "mac-address-table aging-time" on page 789 PARAMETERS These parameters are displayed: ◆ Aging Status – Enables/disables the function.
CHAPTER 7 | Address Table Settings Displaying the Dynamic Address Table DISPLAYING THE DYNAMIC ADDRESS TABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table Figure 86: Displaying the Dynamic MAC Address Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring Figure 87: Clearing Entries in the Dynamic MAC Address Table CONFIGURING MAC ADDRESS MIRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring WEB INTERFACE To mirror packets based on a MAC address: 1. Click MAC Address, Mirror. 2. Select Add from the Action list. 3. Specify the source MAC address and destination port. 4. Click Apply. Figure 88: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: 1. Click MAC Address, Mirror. 2. Select Show from the Action list.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring – 202 –
8 SPANNING TREE ALGORITHM This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
CHAPTER 8 | Spanning Tree Algorithm Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
CHAPTER 8 | Spanning Tree Algorithm Overview Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 220). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection CONFIGURING LOOPBACK DETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode. This loopback state can be released manually or automatically.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Time Left – Time remaining before the shutdown expires. ◆ Release Mode – Configures the interface for automatic or manual loopback release. (Default: Auto) ◆ Release – Allows an interface to be manually released from discard mode. This is only available if the interface is configured for manual release mode. WEB INTERFACE To configure loopback detection: 1. Click Spanning Tree, Loopback Detection. 2.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ ■ RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default. ■ MSTP: Multiple Spanning Tree (IEEE 802.1s) Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA 4. Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section. 5.
CHAPTER 8 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 96: Configuring Global Settings for STA (MSTP) DISPLAYING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network. ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured. ◆ Last Topology Change – Time since the Spanning Tree was last reconfigured. WEB INTERFACE To display global STA settings: 1.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA CLI REFERENCES ◆ "Spanning Tree Commands" on page 795 PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Admin Edge Status for all ports – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ ◆ Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Guard – STA allows a bridge with a lower bridge identifier (or same identifier and lower MAC address) to take over as the root bridge at any time. Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 98: Configuring Interface Settings for STA DISPLAYING INTERFACE SETTINGS FOR STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI REFERENCES ◆ "show spanning-tree" on page 818 PARAMETERS These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ A port on a network segment with no other STA compliant bridging device is always forwarding. ■ If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 99: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B WEB INTERFACE To display interface settings for STA: 1.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees CONFIGURING MULTIPLE SPANNING TREES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 795 COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees WEB INTERFACE To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global - Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP CONFIGURING INTERFACE SETTINGS FOR MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 795 PARAMETERS These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP The recommended range is listed in Table 11 on page 215. The default path costs are listed in Table 12 on page 215. WEB INTERFACE To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP – 226 –
9 CONGESTION CONTROL The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
CHAPTER 9 | Congestion Control Rate Limiting For example, a Gigabit port has a 10 ms window size, so there are 100 scales per second, each scale having a bandwidth of 10 Mbps, and using an inter-packet gap of 20 bytes. Therefore, when the rate limit is set at 64 kbit/s, each scale has a shared bandwidth of 80 bytes. When the packet size = 64 bytes, and the gap = 20 bytes, each packet = 84 bytes > 80bytes. Only one packet can pass through in each scale.
CHAPTER 9 | Congestion Control Storm Control NOTE: Due to a chip limitation, the switch supports only one limit for both ingress rate limiting and storm control (including broadcast unknown unicast, multicast, and broadcast storms). PARAMETERS These parameters are displayed: ◆ Port – Displays the port number. ◆ Type – Indicates the port type. (100Base-TX, 1000Base-T, 100Base SFP, or 1000Base SFP) ◆ Status – Enables or disables the rate limit. (Default: Disabled) ◆ Rate – Sets the rate limit level.
CHAPTER 9 | Congestion Control Storm Control You can protect your network from traffic storms by setting a threshold for broadcast, multicast or unknown unicast traffic. Any packets exceeding the specified threshold will then be dropped. CLI REFERENCES ◆ "switchport packet-rate" on page 737 COMMAND USAGE ◆ Storm Control is disabled by default. ◆ Broadcast control does not effect IP multicast traffic.
CHAPTER 9 | Congestion Control Storm Control ◆ Multicast – Specifies storm control for multicast traffic. ◆ Broadcast – Specifies storm control for broadcast traffic. ◆ Status – Enables or disables storm control. (Default: Disabled) ◆ Rate – Threshold level as a rate; i.e., kilobits per second. (Range: 64-100000 Kbps for Fast Ethernet, 64-1000000 Kbps for Gigabit Ethernet) NOTE: Only one rate is supported for all traffic types on an interface.
CHAPTER 9 | Congestion Control Automatic Traffic Control AUTOMATIC TRAFFIC CONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI REFERENCES ◆ "Automatic Traffic Control Commands" on page 773 COMMAND USAGE ATC includes storm control for broadcast or multicast traffic.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ The traffic control response of rate limiting can be released automatically or manually. The control response of shutting down a port can only be released manually. Figure 110: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually reenable the port.
CHAPTER 9 | Congestion Control Automatic Traffic Control been shut down by a control response, it must be manually re-enabled using the Manual Control Release (see page 235). PARAMETERS These parameters are displayed: ◆ Broadcast Apply Timer – The interval after the upper threshold has been exceeded at which to apply the control response to broadcast storms.
CHAPTER 9 | Congestion Control Automatic Traffic Control CONFIGURING ATC Use the Traffic > Congestion Control > Auto Traffic Control (Configure THRESHOLDS AND Interface) page to set the storm control mode (broadcast or multicast), the RESPONSES traffic thresholds, the control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ Alarm Fire Threshold – The upper threshold for ingress traffic beyond which a storm control response is triggered after the Apply Timer expires. (Range: 1-255 kilo-packets per second; Default: 128 Kpps) Once the traffic rate exceeds the upper threshold and the Apply Timer expires, a trap message will be sent if configured by the Trap Storm Fire attribute.
CHAPTER 9 | Congestion Control Automatic Traffic Control WEB INTERFACE To configure the response timers for automatic storm control: 1. Click Traffic, Congestion Control, Automatic Storm Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
CHAPTER 9 | Congestion Control Automatic Traffic Control – 238 –
10 CLASS OF SERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CHAPTER 10 | Class of Service Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface.
CHAPTER 10 | Class of Service Layer 2 Queue Settings COMMAND USAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. ◆ WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing.
CHAPTER 10 | Class of Service Layer 2 Queue Settings ◆ Weight – Sets a weight for each queue which is used by the WRR scheduler. (Range: 1-255; Default: Weights 1, 2, 4 and 6 are assigned to queues 0 - 3 respectively) WEB INTERFACE To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4.
CHAPTER 10 | Class of Service Layer 2 Queue Settings Figure 116: Setting the Queue Mode (Strict and WRR) MAPPING COS VALUES Use the Traffic > Priority > PHB to Queue page to specify the hardware TO EGRESS QUEUES output queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values" on page 249).
CHAPTER 10 | Class of Service Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type 6 Voice, less than 10 milliseconds latency and jitter 7 Network Control CLI REFERENCES ◆ "qos map phb-queue" on page 865 COMMAND USAGE ◆ Egress packets are placed into the hardware queues according to the mapping defined by this command. ◆ The default internal PHB to output queue mapping is shown below.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 117: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2. Select Show from the Action list. Figure 118: Showing CoS Values to Egress Queue Mapping LAYER 3/4 PRIORITY SETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings NOTE: The default settings used for mapping priority values from ingress traffic to internal DSCP values are used to determine the hardware queues used for egress traffic, not to replace the priority values. These defaults are designed to optimize priority services for the majority of network applications. It should not be necessary to modify any of the default settings, unless a queuing problem occurs with a particular application.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings 3. Set the trust mode. 4. Click Apply. Figure 119: Setting the Trust Mode MAPPING INGRESS DSCP VALUES TO INTERNAL DSCP VALUES Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing. The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) ◆ Drop Precedence – Drop precedence used for Random Early Detection in controlling traffic congestion.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. Figure 121: Showing DSCP to DSCP Internal Mapping MAPPING COS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in PRIORITIES TO incoming packets to per-hop behavior and drop precedence values for INTERNAL DSCP priority processing.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings PARAMETERS These parameters are displayed: ◆ CoS – CoS value in ingress packets. (Range: 0-7) ◆ CFI – Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format. (Range: 0-1) ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) ◆ Drop Precedence – Drop precedence used for Random Early Detection in controlling traffic congestion.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings – 252 –
11 QUALITY OF SERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
CHAPTER 11 | Quality of Service Configuring a Class Map COMMAND USAGE To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. 3.
CHAPTER 11 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
CHAPTER 11 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 125: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 127: Showing the Rules for a Class Map CREATING QOS POLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces.
CHAPTER 11 | Quality of Service Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
CHAPTER 11 | Quality of Service Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: ■ If the packet has been precolored as green and Tc(t)-B0, the packet is green and Tc is decremented by B down to the minimum value of 0, else ■ If the packet has been precolored as yellow or green and if Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else ■ the packet is re
CHAPTER 11 | Quality of Service Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: ■ If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■ the packet is green and both Tp and Tc are decremented by B.
CHAPTER 11 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion with the srTCM and trTCM metering functions.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level. ■ ■ ■ Transmit – Transmits in-conformance traffic without any change to the DSCP service level. Violate – Specifies whether the traffic that exceeds the maximum rate (CIR) will be dropped or the DSCP service level will be reduced. ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ ■ ■ Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) ■ Drop – Drops out of conformance traffic. Violate – Specifies whether the traffic that exceeds the excess burst size (BE) will be dropped or the DSCP service level will be reduced.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level. ■ ■ ■ Transmit – Transmits in-conformance traffic without any change to the DSCP service level. Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the peak information rate (PIR) will be dropped or the DSCP service level will be reduced.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 129: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies Figure 130: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port ATTACHING A POLICY MAP TO A PORT Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI REFERENCES ◆ "Quality of Service Commands" on page 869 COMMAND USAGE ◆ First define a class map, define a policy map, and then bind the service policy to the required interface. ◆ Only one policy map can be bound to an interface.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port – 268 –
12 VOIP TRAFFIC CONFIGURATION This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic CONFIGURING VOIP TRAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI Figure 133: Configuring a Voice VLAN CONFIGURING TELEPHONY OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 6. Enter a description for the devices. 7. Click Apply. Figure 134: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs" on page 171). PARAMETERS These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports be removed from voice VLAN when VoIP traffic is no longer received on the port. Alternatively, if you clear the MAC address table manually, then the switch will also start counting down the Remaining Age. WEB INTERFACE To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
13 SECURITY MEASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. ◆ DoS Protection – Protects against Denial-of-Service attacks. NOTE: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
CHAPTER 13 | Security Measures AAA Authorization and Accounting 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. 4. Apply the method names to port or line interfaces. NOTE: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ TACACS – User authentication is performed using a TACACS+ server only. ■ [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. WEB INTERFACE To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting packet from the client to the server, while TACACS+ encrypts the entire body of the packet. CLI REFERENCES ◆ ◆ ◆ "RADIUS Client" on page 614 "TACACS+ Client" on page 618 "AAA" on page 621 COMMAND USAGE ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ ■ Authentication Retries – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) ■ Set Key – Mark this box to set or modify the encryption key. ■ Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Authentication" on page 277). WEB INTERFACE To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. 5.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 140: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ◆ Exec – Administrative accounting for local console, Telnet, or SSH connections. Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-255 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Show Information – Statistics ◆ User Name - Displays a registered user name. ◆ Accounting Type - Displays the accounting service. ◆ Interface - Displays the receive port number through which this user accessed the switch. ◆ Time Elapsed - Displays the length of time this entry has been active. WEB INTERFACE To configure global settings for AAA accounting: 1. Click Security, AAA, Accounting. 2.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Exec). 4. Enter the required accounting method. 5. Click Apply. Figure 146: Configuring AAA Accounting Service for 802.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary. Figure 148: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2.
CHAPTER 13 | Security Measures AAA Authorization and Accounting CONFIGURING AAA Use the Security > AAA > Authorization page to enable authorization of AUTHORIZATION requested services, and also to display the configured authorization methods, and the methods applied to specific interfaces. CLI REFERENCES ◆ "AAA" on page 621 COMMAND USAGE ◆ This feature performs authorization to determine if a user is allowed to run an Exec shell.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) WEB INTERFACE To configure the authorization method applied to the Exec service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list. 3. Enter the required authorization method. 4. Click Apply. Figure 152: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1.
CHAPTER 13 | Security Measures Configuring User Accounts CONFIGURING USER ACCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI REFERENCES ◆ "User Accounts" on page 609 COMMAND USAGE ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” ◆ The guest only has read access for most configuration parameters.
CHAPTER 13 | Security Measures Configuring User Accounts WEB INTERFACE To configure user accounts: 1. Click Security, User Accounts. 2. Select Add from the Action list. 3. Specify a user name, select the user's access level, then enter a password if required and confirm it. 4. Click Apply. Figure 154: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list.
CHAPTER 13 | Security Measures Web Authentication WEB AUTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
CHAPTER 13 | Security Measures Web Authentication WEB INTERFACE To configure global parameters for web authentication: 1. Click Security, Web Authentication. 2. Select Configure Global from the Step list. 3. Enable web authentication globally on the switch, and adjust any of the protocol parameters as required. 4. Click Apply.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) WEB INTERFACE To enable web authentication for a port: 1. Click Security, Web Authentication. 2. Select Configure Interface from the Step list. 3. Set the status box to enabled for any port that requires web authentication, and click Apply 4. Mark the check box for any host addresses that need to be reauthenticated, and click Re-authenticate.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed. On successful authentication, the RADIUS server may optionally assign VLAN and quality of service settings for the switch port.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) Table 19: Dynamic QoS Profiles (Continued) ◆ Profile Attribute Syntax Example IP ACL ip-access-group-in=ip-acl-name ip-access-group-in=ipv4acl IPv6 ACL ipv6-access-group-in=ipv6-acl-name ipv6-access-group-in=ipv6acl MAC ACL mac-access-group-in=mac-acl-name mac-access-group-in=macAcl Multiple profiles can be specified in the Filter-ID attribute by using a semicolon to separate each profile.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) CONFIGURING GLOBAL MAC address authentication is configured on a per-port basis, however SETTINGS FOR there are two configurable parameters that apply globally to all ports on NETWORK ACCESS the switch. Use the Security > Network Access (Configure Global) page to configure MAC address authentication aging and reauthentication time.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) WEB INTERFACE To configure aging status and reauthentication time for MAC address authentication: 1. Click Security, Network Access. 2. Select Configure Global from the Step list. 3. Enable or disable aging for secure addresses, and modify the reauthentication time as required. 4. Click Apply.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ Network Access Max MAC Count5 – Sets the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication (including Network Access and IEEE 802.1X). (Range: 1-1024; Default: 1024) ◆ Guest VLAN – Specifies the VLAN to be assigned to the port when 802.1X Authentication fails.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) 5. Click Apply. Figure 159: Configuring Interface Settings for Network Access CONFIGURING PORT Use the Security > Network Access (Configure Interface - Link Detection) LINK DETECTION page to send an SNMP trap and/or shut down a port when a link event occurs.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) WEB INTERFACE To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF; Default: FFFFFFFFFFFF) WEB INTERFACE To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) DISPLAYING SECURE Use the Security > Network Access (Show Information) page to display the MAC ADDRESS authenticated MAC addresses stored in the secure MAC address table. INFORMATION Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
CHAPTER 13 | Security Measures Configuring HTTPS Figure 163: Showing Addresses Authenticated for Network Access CONFIGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. CONFIGURING GLOBAL Use the Security > HTTPS (Configure Global) page to enable or disable SETTINGS FOR HTTPS HTTPS and specify the UDP port used for this service.
CHAPTER 13 | Security Measures Configuring HTTPS ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above. ◆ The following web browsers and operating systems currently support HTTPS: Table 20: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 6.x or later Windows 98,Windows NT (with service pack 6a), Windows 2000, XP, Vista, 7, 8 Mozilla Firefox 6.
CHAPTER 13 | Security Measures Configuring HTTPS Figure 164: Configuring HTTPS REPLACING THE Use the Security > HTTPS (Copy Certificate) page to replace the default DEFAULT SECURE-SITE secure-site certificate. CERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
CHAPTER 13 | Security Measures Configuring the Secure Shell ◆ Private Key Source File Name – Name of private key file stored on the TFTP server. ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made.
CHAPTER 13 | Security Measures Configuring the Secure Shell station clients, and ensures that data traveling over the network arrives unaltered. NOTE: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. NOTE: The switch supports both SSH Version 1.5 and 2.0 clients. COMMAND USAGE The SSH server on this switch supports both password and public key authentication.
CHAPTER 13 | Security Measures Configuring the Secure Shell 37187721199696317813662774141689851320491172048303392543241016 37997592371449011938006090253948408482717819437228840253311595 2134861022902978982721353267131629432532818915045306393916643 steve@192.168.1.19 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5.
CHAPTER 13 | Security Measures Configuring the Secure Shell b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
CHAPTER 13 | Security Measures Configuring the Secure Shell ■ The server key is a private key that is never shared outside the switch. ■ The host key is shared with the SSH client, and is fixed at 1024 bits. WEB INTERFACE To configure the SSH server: 1. Click Security, SSH. 2. Select Configure Global from the Step list. 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply.
CHAPTER 13 | Security Measures Configuring the Secure Shell PARAMETERS These parameters are displayed: ◆ Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both; Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
CHAPTER 13 | Security Measures Configuring the Secure Shell 3. Select Show from the Action list. 4. Select the host-key type to clear. 5. Click Clear. Figure 168: Showing the SSH Host Key Pair IMPORTING USER Use the Security > SSH (Configure User Key - Copy) page to upload a PUBLIC KEYS user’s public key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism.
CHAPTER 13 | Security Measures Configuring the Secure Shell ◆ TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import. ◆ Source File Name – The public key file to upload. WEB INTERFACE To copy the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Copy from the Action list. 4.
CHAPTER 13 | Security Measures Access Control Lists Figure 170: Showing the SSH User’s Public Key ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
CHAPTER 13 | Security Measures Access Control Lists Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed number of TCAM entries needed for one ACE.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To show information on TCAM utilization: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show TCAM from the Action list. Figure 171: Showing TCAM Utilization SETTING THE ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4. Fill in the ACL Name field, and select the ACL type. 5. Click Apply. Figure 172: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures Access Control Lists PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of rules which permit or deny a packet, or re-direct a packet to another port. ◆ Interface – The unit and port to which a packet is redirected. (This switch does not support stacking, so the unit is fixed at 1.
CHAPTER 13 | Security Measures Access Control Lists Figure 174: Configuring a Standard IPv4 ACL CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to EXTENDED IPV4 ACL configure an Extended IPv4 ACL. CLI REFERENCES ◆ ◆ ◆ "permit, deny, redirect-to (Extended IPv4 ACL)" on page 714 "show ip access-list" on page 718 "Time Range" on page 572 COMMAND USAGE Due to a ASIC limitation, the switch only checks the leftmost six priority bits.
CHAPTER 13 | Security Measures Access Control Lists ◆ Interface – The unit and port to which a packet is redirected. (This switch does not support stacking, so the unit is fixed at 1.) ◆ Source/Destination Address Type – Specifies the source or destination IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Subnet Mask fields.
CHAPTER 13 | Security Measures Access Control Lists ◆ ■ Both SYN and ACK valid, use control-code 18, control bit mask 18 ■ SYN valid and ACK invalid, use control-code 2, control bit mask 18 Time Range – Name of a time range. WEB INTERFACE To add rules to an IPv4 Extended ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - MAC) page to MAC ACL configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI REFERENCES ◆ ◆ ◆ "permit, deny, redirect-to (MAC ACL)" on page 719 "show ip access-list" on page 718 "Time Range" on page 572 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Time Range – Name of a time range. WEB INTERFACE To add rules to a MAC ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select MAC from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or MAC). 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-5566).
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ARP ACL ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection" on page 331).
CHAPTER 13 | Security Measures Access Control Lists 3. Select Add Rule from the Action list. 4. Select ARP from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the packet type (Request, Response, All). 8. Select the address type (Any, Host, or IP). 9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-5566). If you select “IP,” enter a base address and a hexadecimal bit mask for an address range. 10.
CHAPTER 13 | Security Measures Access Control Lists COMMAND USAGE ◆ This switch supports ACLs for ingress filtering only. ◆ You only bind one ACL to any port for ingress filtering. PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to bind to a port. ◆ Port – Fixed port or SFP module. (Range: 1-26) ◆ ACL – ACL used for ingress packets. ◆ Time Range – Name of a time range. WEB INTERFACE To bind an ACL to a port: 1. Click Security, ACL. 2.
CHAPTER 13 | Security Measures ARP Inspection ARP INSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks.
CHAPTER 13 | Security Measures ARP Inspection CONFIGURING GLOBAL Use the Security > ARP Inspection (Configure General) page to enable ARP SETTINGS FOR ARP inspection globally for the switch, to validate address information in each INSPECTION packet, and configure logging. CLI REFERENCES ◆ "ARP Inspection" on page 699 COMMAND USAGE ARP Inspection Validation ◆ By default, ARP Inspection Validation is disabled.
CHAPTER 13 | Security Measures ARP Inspection ◆ If the log buffer is full, the oldest entry will be replaced with the newest entry. PARAMETERS These parameters are displayed: ◆ ARP Inspection Status – Enables ARP Inspection globally. (Default: Disabled) ◆ ARP Inspection Validation – Enables extended ARP Inspection Validation if any of the following options are enabled.
CHAPTER 13 | Security Measures ARP Inspection Figure 179: Configuring Global Settings for ARP Inspection CONFIGURING VLAN Use the Security > ARP Inspection (Configure VLAN) page to enable ARP SETTINGS FOR ARP inspection for any VLAN and to specify the ARP ACL to use. INSPECTION CLI REFERENCES ◆ "ARP Inspection" on page 699 COMMAND USAGE ARP Inspection VLAN Filters (ACLs) ◆ By default, no ARP Inspection ACLs are configured and the feature is disabled.
CHAPTER 13 | Security Measures ARP Inspection ◆ ARP Inspection ACL Name ■ ARP ACL – Allows selection of any configured ARP ACLs. (Default: None) ■ Static – When an ARP ACL is selected, and static mode also selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database. When an ARP ACL is selected, but static mode is not selected, the switch first performs ARP Inspection and then validation against the DHCP Snooping Bindings database.
CHAPTER 13 | Security Measures ARP Inspection By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting. Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP inspection tests.
CHAPTER 13 | Security Measures ARP Inspection DISPLAYING ARP Use the Security > ARP Inspection (Show Information - Show Statistics) INSPECTION page to display statistics about the number of ARP packets processed, or STATISTICS dropped for various reasons.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To display statistics for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Statistics from the Action list. Figure 182: Displaying Statistics for ARP Inspection DISPLAYING THE ARP Use the Security > ARP Inspection (Show Information - Show Log) page to INSPECTION LOG show information about entries stored in the log, including the associated VLAN, port, and address components.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access WEB INTERFACE To display the ARP Inspection log: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Log from the Action list.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access ◆ You can delete an address range just by specifying the start address, or by specifying both the start address and end address. PARAMETERS These parameters are displayed: ◆ Mode ■ Web – Configures IP address(es) for the web group. ■ SNMP – Configures IP address(es) for the SNMP group. ■ Telnet – Configures IP address(es) for the Telnet group. ◆ Start IP Address – A single IP address, or the starting address of a range.
CHAPTER 13 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 185: Showing IP Addresses Authorized for Management Access CONFIGURING PORT SECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
CHAPTER 13 | Security Measures Configuring Port Security ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch. ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Figure 186: Setting the Maximum Address Count for Port Security To enable port security: 1. Click Security, Port Security. 2. Set the action to take when an invalid address is detected on a port. 3. Mark the check box in the Security Status column to enable security. 4. Click Apply. Figure 187: Configuring the Status and Response for Port Security CONFIGURING 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) ◆ The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 8, Windows 7, Vista, and XP, and in Windows 2000 with Service Pack 4.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Confirm Profile Password – This field is used to confirm the dot1x supplicant password. WEB INTERFACE To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication clients through the remote authenticator (see "Configuring Port Supplicant Settings for 802.1X" on page 349). ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on this configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ■ MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Intrusion Action – Sets the port’s response to a failed authentication. ■ Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) ■ Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See "Configuring VLAN Groups" on page 170) and mapped on each port (See "Configuring Network Access for Ports" on page 300).
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Figure 190: Configuring Interface Settings for 802.1X Port Authenticator CONFIGURING PORT Use the Security > Port Authentication (Configure Interface – Supplicant) SUPPLICANT SETTINGS page to configure 802.1X port settings for supplicant requests issued from FOR 802.1X a port to an authenticator on another device. When 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication COMMAND USAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 344) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate clients through the remote authenticator on this configuration page.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Click Supplicant. 4. Modify the supplicant settings for each port as required. 5. Click Apply Figure 191: Configuring Interface Settings for 802.1X Port Supplicant DISPLAYING 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Table 24: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator. Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. Figure 192: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant. Figure 193: Showing Statistics for 802.
CHAPTER 13 | Security Measures IP Source Guard IP SOURCE GUARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping" on page 359). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
CHAPTER 13 | Security Measures IP Source Guard ■ If DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
CHAPTER 13 | Security Measures IP Source Guard Figure 194: Setting the Filter Type for IP Source Guard CONFIGURING STATIC Use the Security > IP Source Guard > Static Configuration page to bind a BINDINGS FOR IP static address to a port. Table entries include a MAC address, IP address, SOURCE GUARD lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
CHAPTER 13 | Security Measures IP Source Guard ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C. Show ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – The port to which this entry is bound. ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client.
CHAPTER 13 | Security Measures IP Source Guard Figure 196: Displaying Static Bindings for IP Source Guard DISPLAYING Use the Security > IP Source Guard > Dynamic Binding page to display the INFORMATION FOR source-guard binding table for a selected interface. DYNAMIC IP SOURCE GUARD BINDINGS CLI REFERENCES ◆ "show ip dhcp snooping binding" on page 693 PARAMETERS These parameters are displayed: Query by ◆ Port – A port on this switch.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To display the binding table for IP Source Guard: 1. Click Security, IP Source Guard, Dynamic Binding. 2. Mark the search criteria, and enter the required values. 3.
CHAPTER 13 | Security Measures DHCP Snooping ◆ The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆ When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. ◆ Filtering rules are implemented as follows: ■ If the global DHCP snooping is disabled, all DHCP packets are forwarded.
CHAPTER 13 | Security Measures DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 ◆ DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
CHAPTER 13 | Security Measures DHCP Snooping DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure Global) page to enable GLOBAL DHCP Snooping globally on the switch, or to configure MAC Address CONFIGURATION Verification. CLI REFERENCES ◆ "DHCP Snooping" on page 685 PARAMETERS These parameters are displayed: ◆ DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) ◆ DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
CHAPTER 13 | Security Measures DHCP Snooping Figure 198: Configuring Global Settings for DHCP Snooping DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or VLAN disable DHCP snooping on specific VLANs. CONFIGURATION CLI REFERENCES ◆ "ip dhcp snooping vlan" on page 690 COMMAND USAGE ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure VLAN from the Step list. 3. Enable DHCP Snooping on any existing VLAN. 4. Click Apply Figure 199: Configuring DHCP Snooping on a VLAN CONFIGURING PORTS Use the IP Service > DHCP > Snooping (Configure Interface) page to FOR DHCP SNOOPING configure switch ports as trusted or untrusted.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure Interface from the Step list. 3. Set any ports within the local network or firewall to trusted. 4. Click Apply Figure 200: Configuring the Port Mode for DHCP Snooping DISPLAYING DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display SNOOPING BINDING entries in the binding table.
CHAPTER 13 | Security Measures DoS Protection dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid. ◆ Clear – Removes all dynamically learned snooping entries from flash memory. WEB INTERFACE To display the binding table for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2.
CHAPTER 13 | Security Measures DoS Protection PARAMETERS These parameters are displayed: ◆ TCP/UDP Port-Zero Status – Protects against DoS attacks in which the UDP or TCP source port or destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device. Use the no form to restore the default setting. (Options: Drop, Forward; Default: Drop) WEB INTERFACE To set the action to take for packets with Layer 4 port set to zero: 1.
CHAPTER 13 | Security Measures DoS Protection – 368 –
14 BASIC ADMINISTRATION PROTOCOLS This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM. CLI REFERENCES ◆ "Event Logging" on page 555 PARAMETERS These parameters are displayed: ◆ System Log Status – Enables/disables the logging of debug or error messages to the logging process.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging WEB INTERFACE To configure the logging of error messages to system memory: 1. Click Administration, Log, System. 2. Select Configure Global from the Step list. 3. Enable or disable system logging, set the level of event messages to be logged to flash memory and RAM. 4. Click Apply. Figure 203: Configuring Settings for System Memory Logs To show the error messages logged to system or flash memory: 1.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging Figure 204: Showing Error Messages Logged to System Memory REMOTE LOG Use the Administration > Log > Remote page to send log messages to CONFIGURATION syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging WEB INTERFACE To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging identifies the switch, or the address of an administrator responsible for the switch. ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. Configure Server ◆ Host Name/IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging To specify SMTP servers: 1. Click Administration, Log, SMTP. 2. Select Configure Server from the Step list. 3. Select Add from the Action list. 4. Specify the host name or IP address of an SMTP server. If authentication is enabled, specify the name and password for a user configured on the SMTP server. 5. Click Apply. Figure 207: Specifying SMTP Servers To show a list of configured SMTP servers: 1. Click Administration, Log, SMTP. 2.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol LINK LAYER DISCOVERY PROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to reinitialize after LLDP ports are disabled or the link goes down.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 209: Configuring LLDP Timing Attributes CONFIGURING LLDP Use the Administration > LLDP (Configure Interface – Configure General) INTERFACE page to specify the message attributes for individual interfaces, including ATTRIBUTES whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ MED Notification – Enables the transmission of SNMP trap notifications about LLDP-MED changes. (Default: Enabled) ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. ■ Management Address – The management address protocol packet includes the IPv4 address of the switch.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ ■ VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 167). ■ VLAN Name – The name of all VLANs to which this interface has been assigned (see "IEEE 802.1Q VLANs" on page 167. ■ Port and Protocol VLAN ID – The port-based protocol VLANs configured on this interface (see "IEEE 802.1Q VLANs" on page 167. 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ MED-Location Civic Address – Configures information for the location of the attached device included in the MED TLV field of advertised messages, including the country and the device type. ■ Country – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ■ Device entry refers to – The type of device to which the location applies: ■ Location of DHCP server.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 210: Configuring LLDP Interface Attributes CONFIGURING LLDP Use the Administration > LLDP (Configure Interface – Add CA-Type) page INTERFACE CIVIC- to specify the physical location of the device attached to an interface.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 26: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 27: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Locally assig
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. ◆ Port/Trunk Description – A string that indicates the port or trunk description. If RFC 2863 is implemented, the ifDescr object should be used for this field.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol DISPLAYING LLDP Use the Administration > LLDP (Show Remote Device Information) page to REMOTE DEVICE display information about devices connected directly to the switch’s ports INFORMATION which are advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 29: Port ID Subtype (Continued) ID Basis Reference Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned ◆ Port Description – A string that indicates the port’s d
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information ◆ Remote Port Auto-Neg Supported – Shows whether the given port (associated with remote system) supports auto-negotiation. ◆ Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Remote Power Pairs – “Signal” means that the signal pairs only are in use, and “Spare” means that the spare pairs only are in use. ◆ Remote Power MDI Supported – Shows whether MDI power is supported on the given port associated with the remote system. ◆ Remote Power Pair Controlable – Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 215: Displaying Remote Device Information for LLDP (Port) Figure 216: Displaying Remote Device Information for LLDP (Port Details) – 391 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol DISPLAYING DEVICE Use the Administration > LLDP (Show Device Statistics) page to display STATISTICS statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
CHAPTER 14 | Basic Administration Protocols Power Over Ethernet WEB INTERFACE To display statistics for LLDP-capable devices attached to the switch: 1. Click Administration, LLDP. 2. Select Show Device Statistics from the Step list. 3. Select General, Port, or Trunk.
CHAPTER 14 | Basic Administration Protocols Power Over Ethernet The switch’s power management enables individual port power to be controlled within the switch’s power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its power budget. When a device is connected to a switch port, its power requirements are detected by the switch before power is supplied.
CHAPTER 14 | Basic Administration Protocols Power Over Ethernet WEB INTERFACE To set the overall PoE power budget for switch: 1. Click Administration, PoE. 2. Select Configure Global from the Step list. Figure 219: Showing the Switch’s PoE Budget SETTING THE PORT Use the Administration > PoE (Configure Interface) page to set the POE POWER BUDGET maximum power provided to a port.
CHAPTER 14 | Basic Administration Protocols Power Over Ethernet ■ If a device is connected to a low-priority port and causes the switch to exceed its budget, power to this port is not turned on. ■ If a device is connected to a critical or high-priority port and would cause the switch to exceed its power budget as determined during bootup, power is provided to the port only if the switch can drop power to one or more lower-priority ports and thereby remain within its overall budget.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 220: Setting a Port’s PoE Budget SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 31: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defau
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. 4. Use the Administration > SNMP (Configure View) page to specify read and write access views for the switch MIB tree. 5. Use the Administration > SNMP (Configure User) page to configure SNMP user groups with the required security model (i.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 221: Configuring Global Settings for SNMP SETTING THE LOCAL Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ENGINE ID change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 222: Configuring the Local Engine ID for SNMP SPECIFYING A REMOTE Use the Administration > SNMP (Configure Engine - Add Remote Engine) ENGINE ID page to configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 223: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Add OID Subtree ◆ View Name – Lists the SNMP views configured in the Add View page. (Range: 1-64 characters). ◆ OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 226: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 228: Showing the OID Subtree Configured for SNMP Views CONFIGURING Use the Administration > SNMP (Configure Group) page to add an SNMPv3 SNMPV3 GROUPS group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 32: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 32: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.1 This trap is sent when the power state changes. swFanFailureTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.17 This trap is sent when the fan fails. swFanRecoverTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.18 This trap is sent when fan failure has recovered. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 32: Supported Notification Messages (Continued) Model Level Group swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.38.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold. swMemoryUtiRisingThresholdNotification 1.3.6.1.4.1.259.10.1.38.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 229: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SETTING COMMUNITY Use the Administration > SNMP (Configure User - Add Community) page to ACCESS STRINGS configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 234: Showing Local SNMPv3 Users CONFIGURING REMOTE Use the Administration > SNMP (Configure User - Add SNMPv3 Remote SNMPV3 USERS User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) ■ AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. ■ AuthPriv – SNMP communications use both authentication and encryption.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 235: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list. Figure 236: Showing Remote SNMPv3 Users SPECIFYING TRAP Use the Administration > SNMP (Configure Trap) page to specify the host MANAGERS devices to be sent notifications and the types of notifications to send.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE ◆ Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 2c ◆ IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications using SNMP v1, v2c, or v3. ◆ Notification Type ◆ ■ Traps – Notifications are sent as trap messages. ■ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Retry times – The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) Local User Name – The name of a local user which is used to identify the source of SNMPv3 notification messages sent from the local switch. (Range: 1-32 characters) If an account for the specified user has not been created (page 411), one will be automatically generated.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 237: Configuring Trap Managers (SNMPv1) Figure 238: Configuring Trap Managers (SNMPv2c) Figure 239: Configuring Trap Managers (SNMPv3) To show configured notification managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 3. Select Show from the Action list. Figure 240: Showing Notification Managers REMOTE MONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMONcapable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring COMMAND USAGE ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made. PARAMETERS These parameters are displayed: ◆ Index – Index to this entry. (Range: 1-65535) ◆ Variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Owner – Name of the person who created this entry. (Range: 1-127 characters) WEB INTERFACE To configure an RMON alarm: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Alarm. 5. Enter an index number, the MIB object to be polled (etherStatsEntry.n.n), the polling interval, the sample type, the thresholds, and the event to trigger. 6.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 242: Showing Configured RMON Alarms CONFIGURING RMON Use the Administration > RMON (Configure Global - Add - Event) page to EVENTS set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ■ ◆ Log and Trap – Logs the event and sends a trap message. Community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see "Setting Community Access Strings" on page 410) prior to configuring it here.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 3. Select Show from the Action list. 4. Click Event. Figure 244: Showing Configured RMON Events CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - History) page HISTORY SAMPLES to collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring PARAMETERS These parameters are displayed: ◆ Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 8) The number of buckets granted are displayed on the Show page. ◆ Owner - Name of the person who created this entry.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 246: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 247: Showing Collected RMON History Samples CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - Statistics) STATISTICAL SAMPLES page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 4. Click Statistics. 5. Select a port from the list as the data source. 6. Enter an index number, and the name of the owner for this entry 7. Click Apply Figure 248: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics.
CHAPTER 14 | Basic Administration Protocols Switch Clustering 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 250: Showing Collected RMON Statistical Samples SWITCH CLUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
CHAPTER 14 | Basic Administration Protocols Switch Clustering manually selected by the administrator through the management station. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a member of one cluster. ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see "Configuring VLAN Groups" on page 170). 2.
CHAPTER 14 | Basic Administration Protocols Switch Clustering ◆ Number of Members – The current number of Member switches in the cluster. ◆ Number of Candidates – The current number of Candidate switches discovered in the network that are available to become Members. WEB INTERFACE To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4.
CHAPTER 14 | Basic Administration Protocols Switch Clustering WEB INTERFACE To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 252: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Switch Clustering Figure 254: Showing Cluster Candidates MANAGING CLUSTER Use the Administration > Cluster (Show Member) page to manage another MEMBERS switch in the cluster. CLI REFERENCES ◆ "Switch Clustering" on page 575 PARAMETERS These parameters are displayed: Member ID – The ID number of the Member switch. (Range: 1-36) Role – Indicates the current status of the switch in the cluster.
CHAPTER 14 | Basic Administration Protocols Setting A Time Range Figure 255: Managing a Cluster Member SETTING A TIME RANGE Use the Administration > Time Range page to sets a time range for ACLs. CLI REFERENCES ◆ "Time Range" on page 572 COMMAND USAGE If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
CHAPTER 14 | Basic Administration Protocols Setting A Time Range WEB INTERFACE To configure a time range: 1. Click Administration, Time Range. 2. Select Add from the Action list. 3. Enter the name of a time range. 4. Click Apply. Figure 256: Setting the Name of a Time Range To show a list of time ranges: 1. Click Administration, Time Range. 2. Select Show from the Action list. Figure 257: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Administration, Time Range. 2.
CHAPTER 14 | Basic Administration Protocols Setting A Time Range Figure 258: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Administration, Time Range. 2. Select Show Rule from the Action list.
CHAPTER 14 | Basic Administration Protocols Setting A Time Range – 438 –
15 IP CONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 15 | IP Configuration Using the Ping Function COMMAND USAGE ◆ Use the ping command to see if another site on the network can be reached. ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds.
CHAPTER 15 | IP Configuration Address Resolution Protocol ADDRESS RESOLUTION PROTOCOL The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this switch (or any standards-based switch/router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
CHAPTER 15 | IP Configuration Address Resolution Protocol The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the switch may tie up resources by repeating ARP requests for addresses recently flushed from the table. When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. WEB INTERFACE To configure the timeout for the ARP cache: 1. Click IP, ARP. 2.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) SETTING THE SWITCH’S IP ADDRESS (IP VERSION 4) Use the System > IP page to configure an IPv4 address for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types. For information on configuring the switch with an IPv6 address, see "Setting the Switch’s IP Address (IP Version 6)" on page 445.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) WEB INTERFACE To set a static address for the switch: 1. Click System, IP. 2. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway. 3. Click Apply. Figure 263: Configuring a Static IPv4 Address To obtain an dynamic address through DHCP/BOOTP for the switch: 1. Click System, IP. 2.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) NOTE: The switch will also broadcast a request for IP configuration settings on each power reset. NOTE: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ An IPv6 default gateway must be defined if the management station is located in a different IPv6 segment. ■ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. WEB INTERFACE To configure an IPv6 default gateway for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Global from the Action list. 3.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ◆ ND DAD Attempts – The number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. (Range: 0-600, Default: 3) ■ Configuring a value of 0 disables duplicate address detection. ■ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (M flag) and Other Stateful Configuration flag (O flag) received in Router Advertisement messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below. ■ Both M and O flags are set to 1: DHCPv6 is used for both address and other configuration settings.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) CONFIGURING AN IPV6 Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ADDRESS IPv6 interface for management access over the network. CLI REFERENCES ◆ "IPv6 Interface" on page 970 COMMAND USAGE ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4093) ◆ Address Type – Defines the address type configured for this interface.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. WEB INTERFACE To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ IP Address – An IPv6 address assigned to this interface. In addition to the unicast addresses assigned to an interface, a host is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To show the configured IPv6 addresses: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Address from the Action list. 3. Select a VLAN from the list. Figure 268: Showing Configured IPv6 Addresses SHOWING THE IPV6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to NEIGHBOR CACHE display the IPv6 addresses detected for neighbor devices.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 34: Show IPv6 Neighbors - display description (Continued) Field State Description The following states are used for dynamic entries: ◆ Incomplete - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. ◆ Invalid - An invalidated mapping.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING IPV6 Use the IP > IPv6 Configuration (Show Statistics) page to display statistics STATISTICS about IPv6 traffic passing through this switch.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 35: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity. This count includes invalid addresses (e.g., ::0) and unsupported addresses (e.g., addresses with unallocated prefixes).
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 35: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 35: Show IPv6 Statistics - display description (Continued) Field Description ICMPv6 Transmitted Output The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors. Destination Unreachable Messages The number of ICMP Destination Unreachable messages sent by the interface.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3. Click IPv6, ICMPv6 or UDP.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 272: Showing IPv6 Statistics (UDP) SHOWING THE MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum FOR RESPONDING transmission unit (MTU) cache for destinations that have returned an ICMP DESTINATIONS packet-too-big message along with an acceptable MTU to this switch.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 462 –
16 IP SERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 359. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
CHAPTER 16 | IP Services Configuring a List of Domain Names WEB INTERFACE To configure general settings for DNS: 1. Click IP Service, DNS, General. 2. Select Configure Global from the Action list. 3. Enable domain lookup, and set the default domain name. 4. Click Apply. Figure 274: Configuring General Settings for DNS CONFIGURING A LIST OF DOMAIN NAMES Use the IP Service > DNS - General (Add Domain Name) page to configure a list of domain names to be tried in sequential order.
CHAPTER 16 | IP Services Configuring a List of Domain Names PARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) WEB INTERFACE To create a list domain names: 1. Click IP Service, DNS, General. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
CHAPTER 16 | IP Services Configuring a List of Name Servers CONFIGURING A LIST OF NAME SERVERS Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. CLI REFERENCES ◆ ◆ "ip name-server" on page 949 "show dns" on page 951 COMMAND USAGE ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see "Configuring General DNS Service Parameters" on page 463).
CHAPTER 16 | IP Services Configuring Static DNS Host to Address Entries To show the list name servers: 1. Click IP Service, DNS, General. 2. Select Show Name Servers from the Action list. Figure 278: Showing the List of Name Servers for DNS CONFIGURING STATIC DNS HOST TO ADDRESS ENTRIES Use the IP Service > DNS - Static Host Table (Add) page to manually configure static entries in the DNS table that are used to map domain names to IP addresses.
CHAPTER 16 | IP Services Displaying the DNS Cache 4. Click Apply. Figure 279: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 280: Showing Static Entries in the DNS Table DISPLAYING THE DNS CACHE Use the IP Service > DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers.
CHAPTER 16 | IP Services Displaying the DNS Cache ◆ Flag – The flag is always “4” indicating a cache entry and therefore unreliable. ◆ Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias. ◆ IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆ Domain – The host name associated with this record. WEB INTERFACE To display entries in the DNS cache: 1. Click IP Service, DNS, Cache.
CHAPTER 16 | IP Services Displaying the DNS Cache – 470 –
17 MULTICAST FILTERING This chapter describes how to configure the following multicast services: ◆ IGMP – Configuring snooping and query parameters. ◆ Filtering and Throttling – Filtering specified multicast service, or throttling the maximum of multicast groups allowed on an interface. ◆ Multicast VLAN Registration (MVR) – Configures a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, preserving security and data isolation.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch. In this case (Layer 2) IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) NOTE: IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways. A static router port can be manually configured (see "Specifying Static Interfaces for a Multicast Router" on page 477). Using this method, the router port is never timed out, and will continue to function until explicitly removed.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) CONFIGURING IGMP Use the Multicast > IGMP Snooping > General page to configure the switch SNOOPING AND QUERY to forward multicast traffic intelligently. Based on the IGMP query and PARAMETERS report messages, the switch forwards multicast traffic only to the ports that request it. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it immediately issues an IGMP general query.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ IGMP Snooping Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) CLI REFERENCES ◆ "Static Multicast Routing" on page 906 COMMAND USAGE IGMP Snooping must be enabled globally on the switch (see "Configuring IGMP Snooping and Query Parameters" on page 474) before a multicast router port can take effect. PARAMETERS These parameters are displayed: Add Static Multicast Router ◆ VLAN – Selects the VLAN which is to propagate all multicast traffic coming from the attached multicast router.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 284: Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Figure 285: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: 1.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ASSIGNING Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) INTERFACES TO page to statically assign a multicast service to an interface. MULTICAST SERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters" on page 474).
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 287: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information. Figure 288: Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service: 1.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) SETTING IGMP Use the Multicast > IGMP Snooping > Interface (Configure) page to SNOOPING STATUS configure IGMP snooping attributes for a VLAN. To configure snooping PER INTERFACE globally, refer to "Configuring IGMP Snooping and Query Parameters" on page 474. CLI REFERENCES ◆ "IGMP Snooping" on page 887 COMMAND USAGE Multicast Router Discovery There have been many mechanisms used in the past to identify multicast routers.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Multicast Router Termination – These messages are sent when a router stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: ■ Multicast forwarding is disabled on an interface. ■ An interface is administratively disabled. ■ The router is gracefully shut down. Advertisement and Termination messages are sent to the All-Snoopers multicast address.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period. Note that this time out is set to Last Member Query Interval * Robustness Variable (fixed at 2) as defined in RFC 2236.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Proxy Query Address – A static source address for locally generated query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show from the Action list. Figure 291: Showing Interface Settings for IGMP Snooping DISPLAYING Use the Multicast > IGMP Snooping > Forwarding Entry page to display the MULTICAST GROUPS forwarding entries learned through IGMP Snooping.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 292: Showing Multicast Groups Learned by IGMP Snooping FILTERING AND THROTTLING IGMP GROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups PARAMETERS These parameters are displayed: ◆ IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch. (Default: Disabled) WEB INTERFACE To enable IGMP filtering and throttling on the switch: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure General from the Step list. 3. Enable IGMP Filter Status. 4. Click Apply.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups Add Multicast Group Range ◆ Profile ID – Selects an IGMP profile to configure. ◆ Start Multicast IP Address – Specifies the starting address of a range of multicast groups. ◆ End Multicast IP Address – Specifies the ending address of a range of multicast groups. WEB INTERFACE To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups CONFIGURING IGMP FILTERING AND THROTTLING FOR INTERFACES Use the Multicast > IGMP Snooping > Filter (Configure Interface) page to assign and IGMP filter profile to interfaces on the switch, or to throttle multicast traffic by limiting the maximum number of multicast groups an interface can join at the same time.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration WEB INTERFACE To configure IGMP filtering or throttling for a port or trunk: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Interface from the Step list. 3. Select a profile to assign to an interface, then set the maximum number of allowed multicast groups and the throttling response. 4. Click Apply.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration Figure 299: MVR Concept Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV COMMAND USAGE ◆ General Configuration Guidelines for MVR: 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see "Configuring Global MVR Settings" on page 495). 2.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration CONFIGURING GLOBAL Use the Multicast > MVR (Configure General) page to enable MVR globally MVR SETTINGS on the switch, select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assign the multicast group address for each of these services to the MVR VLAN.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration WEB INTERFACE To configure global settings for MVR: 1. Click Multicast, MVR. 2. Select Configure General from the Step list. 3. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to participating hosts. 4. Click Apply.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration ◆ One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for configured MVR groups or for groups which have been statically assigned (see "Assigning Static MVR Multicast Groups to Interfaces" on page 498). All source ports must belong to the MVR VLAN. Subscribers should not be directly connected to source ports. ◆ Immediate leave applies only to receiver ports.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. ◆ Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) WEB INTERFACE To configure interface settings for MVR: 1. Click Multicast, MVR. 2.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned. ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings. PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ VLAN – VLAN identifier.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration 4. Select the port for which to display this information. Figure 303: Showing the Static MVR Groups Assigned to a Port DISPLAYING MVR Use the Multicast > MVR (Show Member) page to show the multicast RECEIVER GROUPS groups either statically or dynamically assigned to the MVR receiver groups on each interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration Figure 304: Displaying MVR Receiver Groups – 501 –
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration – 502 –
SECTION III COMMAND LINE INTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
SECTION III | Command Line Interface ◆ "Class of Service Commands" on page 857 ◆ "Quality of Service Commands" on page 869 ◆ "Multicast Filtering Commands" on page 887 ◆ "LLDP Commands" on page 921 ◆ "Domain Name Service Commands" on page 945 ◆ "DHCP Commands" on page 955 ◆ "IP Interface Commands" on page 961 – 504 –
18 USING THE COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). ACCESSING THE CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
CHAPTER 18 | Using the Command Line Interface Accessing the CLI TELNET CONNECTION Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
CHAPTER 18 | Using the Command Line Interface Entering Commands NOTE: You can open up to four sessions to the device via Telnet. ENTERING COMMANDS This section describes how to enter CLI commands. KEYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify ARGUMENTS a command, and arguments specify configuration parameters.
CHAPTER 18 | Using the Command Line Interface Entering Commands GETTING HELP ON You can display a brief description of the help system by entering the help COMMANDS command. You can also display command syntax by using the “?” character to list keywords or parameters. SHOWING COMMANDS If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
CHAPTER 18 | Using the Command Line Interface Entering Commands snmp sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan voice web-auth Console#show Simple Network Management Protocol configuration and statistics Simple Network Time Protocol configuration Spanning-tree configuration Secure shell server connections Startup system configuration IP subnet-based VLAN information System information TACACS server informat
CHAPTER 18 | Using the Command Line Interface Entering Commands USING COMMAND The CLI maintains a history of commands that have been entered. You can HISTORY scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed. Using the show history command displays a longer list of recently executed commands. UNDERSTANDING The command set is divided into Exec and Configuration classes.
CHAPTER 18 | Using the Command Line Interface Entering Commands To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit].
CHAPTER 18 | Using the Command Line Interface Entering Commands ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. ◆ Time Range - Sets a time range for use by other functions, such as Access Control Lists. ◆ VLAN Configuration - Includes the command to create VLAN groups. To enter the Global Configuration mode, enter the command configure in Privileged Exec mode.
CHAPTER 18 | Using the Command Line Interface Entering Commands COMMAND LINE Commands are not case sensitive. You can abbreviate commands and PROCESSING parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
CHAPTER 18 | Using the Command Line Interface CLI Command Groups CLI COMMAND GROUPS The system commands can be broken down into the functional groups shown below.
CHAPTER 18 | Using the Command Line Interface CLI Command Groups Table 40: Command Group Index (Continued) Command Group Description Page Quality of Service Configures Differentiated Services 869 Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router; also configures multicast VLAN registration 887 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about neighbor devices 921
CHAPTER 18 | Using the Command Line Interface CLI Command Groups – 516 –
19 GENERAL COMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions.
CHAPTER 19 | General Commands EXAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified Configuration) delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
CHAPTER 19 | General Commands COMMAND USAGE ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See "copy" on page 536).
CHAPTER 19 | General Commands EXAMPLE Console>enable Password: [privileged level password] Console# RELATED COMMANDS disable (522) enable password (610) quit This command exits the configuration program. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The quit and exit commands can both exit the configuration program.
CHAPTER 19 | General Commands EXAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the conf
CHAPTER 19 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes" on page 510. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
CHAPTER 19 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. COMMAND MODE Privileged Exec EXAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
CHAPTER 19 | General Commands EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 524 –
20 SYSTEM MANAGEMENT COMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
CHAPTER 20 | System Management Commands System Status hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. SYNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console(config)#hostname RD#1 Console(config)# SYSTEM STATUS This section describes commands used to display system information.
CHAPTER 20 | System Management Commands System Status show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
CHAPTER 20 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# show This command displays the configuration information currently in use.
CHAPTER 20 | System Management Commands System Status username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database vlan 1 name DefaultVlan media ethernet state active ! spanning-tree mst configuration ! interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 qos map dscp-mutation 6 0 from 46 . . . ! interface vlan 1 ip address 192.168.1.10 255.255.255.
CHAPTER 20 | System Management Commands System Status ■ Any configured settings for the console port and Telnet EXAMPLE Refer to the example for the running configuration file. RELATED COMMANDS show running-config (528) show system This command displays system information. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE ◆ For a description of the items shown by this command, refer to "Displaying System Information" on page 97.
CHAPTER 20 | System Management Commands System Status show tech-support This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE This command generates a long list of information including detailed system and interface settings.
CHAPTER 20 | System Management Commands System Status EXAMPLE Console#show users User Name Accounts: User Name Privilege --------- --------admin 15 guest 0 steve 15 Public-Key ---------None None RSA Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.
CHAPTER 20 | System Management Commands Frame Size FRAME SIZE This section describes commands used to configure the Ethernet frame size on the switch. Table 45: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
CHAPTER 20 | System Management Commands File Management FILE MANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
CHAPTER 20 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. SYNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required.
CHAPTER 20 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
CHAPTER 20 | System Management Commands File Management ◆ The Boot ROM cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. ◆ For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate" on page 308. For information on configuring the switch to use HTTPS for a secure connection, see the ip http secure-server command.
CHAPTER 20 | System Management Commands File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
CHAPTER 20 | System Management Commands File Management delete This command deletes a file or image. SYNTAX delete filename filename - Name of configuration file or code image. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. EXAMPLE This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.
CHAPTER 20 | System Management Commands File Management COMMAND USAGE If you enter the command dir without any parameters, the system displays all files. ◆ File information is shown below: Table 47: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Create Time The date and time the file was created.
CHAPTER 20 | System Management Commands File Management EXAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ---------Unit 1: ECS4110-24T_Op_V0.0.0.1.bix OpCode Y 2012-11-29 01:31:57 11331488 startup1.
CHAPTER 20 | System Management Commands File Management 4. It then restarts the system to start using the new image. ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. EXAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . .
CHAPTER 20 | System Management Commands File Management ◆ The name for the new image stored on the TFTP server must be ECS4110-24T_Op.bix10. However, note that file name is not to be included in this command. ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.
CHAPTER 20 | System Management Commands Line LINE You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
CHAPTER 20 | System Management Commands Line DEFAULT SETTING There is no default line. COMMAND MODE Global Configuration COMMAND USAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
CHAPTER 20 | System Management Commands Line EXAMPLE To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# RELATED COMMANDS parity (548) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. SYNTAX exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
CHAPTER 20 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. SYNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
CHAPTER 20 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. SYNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity DEFAULT SETTING No parity COMMAND MODE Line Configuration COMMAND USAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
CHAPTER 20 | System Management Commands Line COMMAND USAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
CHAPTER 20 | System Management Commands Line EXAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# RELATED COMMANDS silent-time (550) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
CHAPTER 20 | System Management Commands Line DEFAULT SETTING auto COMMAND MODE Line Configuration COMMAND USAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
CHAPTER 20 | System Management Commands Line timeout login This command sets the interval that the system waits for a user to log into response the CLI. Use the no form to restore the default setting. SYNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval. (Range: 0 - 300 seconds for CLI.
CHAPTER 20 | System Management Commands Line EXAMPLE Console#disconnect 1 Console# RELATED COMMANDS show ssh (644) show users (531) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting.
CHAPTER 20 | System Management Commands Line EXAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. SYNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
CHAPTER 20 | System Management Commands Event Logging EVENT LOGGING This section describes commands used to configure event logging on the switch.
CHAPTER 20 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. SYNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below.
CHAPTER 20 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. SYNTAX [no] logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ Use this command more than once to build up a list of host IP addresses.
CHAPTER 20 | System Management Commands Event Logging RELATED COMMANDS logging history (556) logging trap (558) clear log (558) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
CHAPTER 20 | System Management Commands Event Logging COMMAND MODE Privileged Exec EXAMPLE Console#clear log Console# RELATED COMMANDS show log (559) show log This command displays the log messages stored in local memory. SYNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
CHAPTER 20 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. SYNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
CHAPTER 20 | System Management Commands SMTP Alerts Remote Remote Remote Remote Remote Log Log Log Log Log Server Server Server Server Server IP IP IP IP IP Address Address Address Address Address : : : : : 1.2.3.4 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Console# Table 52: show logging trap - display description Field Description Remote Log Status Shows if remote logging has been enabled via the logging trap command.
CHAPTER 20 | System Management Commands SMTP Alerts COMMAND MODE Global Configuration EXAMPLE Console(config)#logging sendmail Console(config)# logging sendmail This command specifies SMTP servers that will be sent alert messages. Use host the no form to remove an SMTP server. SYNTAX [no] logging sendmail host host [username username password password auth-basic] host - IP address or alias of an SMTP server that will be sent alert messages for event handling. username - Name of SMTP server user.
CHAPTER 20 | System Management Commands SMTP Alerts logging sendmail This command sets the severity threshold used to trigger alert messages. level Use the no form to restore the default setting. SYNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page 556). Messages sent include the selected level down to level 0.
CHAPTER 20 | System Management Commands SMTP Alerts EXAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command sets the email address used for the “From” field in alert source-email messages. Use the no form to restore the default value. SYNTAX logging sendmail source-email email-address no logging sendmail source-email email-address - The source email address used in alert messages.
CHAPTER 20 | System Management Commands Time SMTP Status: Enabled Console# TIME The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
CHAPTER 20 | System Management Commands Time COMMAND USAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). ◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command.
CHAPTER 20 | System Management Commands Time RELATED COMMANDS sntp client (565) sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. SYNTAX sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP).
CHAPTER 20 | System Management Commands Time EXAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# Manual Configuration Commands clock summer-time This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time.
CHAPTER 20 | System Management Commands Time COMMAND MODE Global Configuration COMMAND USAGE ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time zone relative to the currently configured time zone.
CHAPTER 20 | System Management Commands Time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. EXAMPLE Console(config)#clock timezone Japan hours 8 minute 0 after-UTC Console(config)# RELATED COMMANDS show sntp (567) clock timezone- This command uses predefined time zone configurations to set the time predefined zone for the switch’s internal clock. Use the no form to restore the default.
CHAPTER 20 | System Management Commands Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. SYNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
CHAPTER 20 | System Management Commands Time Range Summer Time in Effect : No Console# TIME RANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
CHAPTER 20 | System Management Commands Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. SYNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
CHAPTER 20 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
CHAPTER 20 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. SYNTAX show time-range [name] name - Name of the time range.
CHAPTER 20 | System Management Commands Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
CHAPTER 20 | System Management Commands Switch Clustering ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes. EXAMPLE Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander.
CHAPTER 20 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. SYNTAX cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. DEFAULT SETTING 10.254.254.
CHAPTER 20 | System Management Commands Switch Clustering COMMAND MODE Global Configuration COMMAND USAGE ◆ The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. EXAMPLE Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. SYNTAX rcommand id member-id member-id - The ID number of the Member switch.
CHAPTER 20 | System Management Commands Switch Clustering Heartbeat Loss Count : 3 seconds Number of Members : 1 Number of Candidates : 2 Console# show cluster This command shows the current switch cluster members. members COMMAND MODE Privileged Exec EXAMPLE Console#show cluster members Cluster Members: ID : 1 Role : Active member IP Address : 10.254.254.
21 SNMP COMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
CHAPTER 21 | SNMP Commands General SNMP Commands Table 57: SNMP Commands (Continued) Command Function Mode Notification Log Commands nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE ATC Trap Commands snmp-server enable port- Sends a trap when broadcast traffic falls
CHAPTER 21 | SNMP Commands General SNMP Commands EXAMPLE Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize community management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string. SYNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
CHAPTER 21 | SNMP Commands General SNMP Commands COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server contact Paul Console(config)# RELATED COMMANDS snmp-server location (584) snmp-server This command sets the system location string. Use the no form to remove location the location string. SYNTAX snmp-server location text no snmp-server location text - String that describes the system location.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands EXAMPLE Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands COMMAND USAGE ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend defining it with the snmp-server community command prior to using the snmp-server host command. (Maximum length: 32 characters) version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands To send an inform to a SNMPv2c host, complete these steps: 1. 2. 3. 4. 5. Enable the SNMP agent (page 582). Create a view with the required notification messages (page 592). Create a group that includes the required notify view (page 590). Allow the switch to send SNMP traps; i.e., notifications (page 585). Specify the target host that will receive inform messages with the snmp-server host command as described in this section.
CHAPTER 21 | SNMP Commands SNMPv3 Commands SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. engine-id Use the no form to restore the default. SYNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - The Internet address of the remote device.
CHAPTER 21 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# RELATED COMMANDS snmp-server host (586) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
CHAPTER 21 | SNMP Commands SNMPv3 Commands ◆ For additional information on the notification messages supported by this switch, see Table 32, "Supported Notification Messages," on page 406. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
CHAPTER 21 | SNMP Commands SNMPv3 Commands COMMAND USAGE ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
CHAPTER 21 | SNMP Commands SNMPv3 Commands DEFAULT SETTING defaultview (includes access to the entire MIB tree) COMMAND MODE Global Configuration COMMAND USAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. ◆ The predefined view “defaultview” includes access to the entire MIB tree. EXAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.
CHAPTER 21 | SNMP Commands SNMPv3 Commands Table 58: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine.
CHAPTER 21 | SNMP Commands SNMPv3 Commands Console# Table 59: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
CHAPTER 21 | SNMP Commands Notification Log Commands Table 60: show snmp user - display description (Continued) Field Description Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. COMMAND MODE Privileged Exec EXAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
CHAPTER 21 | SNMP Commands Notification Log Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. EXAMPLE This example enables the notification logs A1 and A2.
CHAPTER 21 | SNMP Commands Notification Log Commands ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications. ◆ If notification logging is not configured and enabled, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
CHAPTER 21 | SNMP Commands Notification Log Commands Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts. Note that the last entry is a default filter created when a trap host is initially created. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 A2 10.
CHAPTER 21 | SNMP Commands Notification Log Commands – 600 –
22 REMOTE MONITORING COMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMONcapable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
CHAPTER 22 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. SYNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
CHAPTER 22 | Remote Monitoring Commands ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. EXAMPLE Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 22 | Remote Monitoring Commands ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. EXAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface. Use history the no form to disable periodic sampling.
CHAPTER 22 | Remote Monitoring Commands show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
CHAPTER 22 | Remote Monitoring Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# show rmon alarms This command shows the settings for all configured alarms. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 22 | Remote Monitoring Commands 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 . . . show rmon This command shows the information collected for all configured entries in statistics the statistics group. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
CHAPTER 22 | Remote Monitoring Commands – 608 –
23 AUTHENTICATION COMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access13 to the data ports.
CHAPTER 23 | Authentication Commands User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. SYNTAX enable password [level level] {0 | 7} password no enable password [level level] level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
CHAPTER 23 | Authentication Commands User Accounts username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. SYNTAX username name {access-level level | nopassword | password {0 | 7} password} no username name name - The name of the user. (Maximum length: 8 characters, case sensitive.
CHAPTER 23 | Authentication Commands Authentication Sequence AUTHENTICATION SEQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
CHAPTER 23 | Authentication Commands Authentication Sequence EXAMPLE Console(config)#authentication enable radius Console(config)# RELATED COMMANDS enable password - sets the password for changing command modes (610) authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. SYNTAX authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password.
CHAPTER 23 | Authentication Commands RADIUS Client RELATED COMMANDS username - for setting the local user names and passwords (611) RADIUS CLIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
CHAPTER 23 | Authentication Commands RADIUS Client radius-server This command sets the RADIUS server network port. Use the no form to auth-port restore the default. SYNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
CHAPTER 23 | Authentication Commands RADIUS Client DEFAULT SETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default.
CHAPTER 23 | Authentication Commands RADIUS Client DEFAULT SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server retransmit 5 Console(config)# radius-server This command sets the interval between transmitting authentication timeout requests to the RADIUS server. Use the no form to restore the default. SYNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 23 | Authentication Commands TACACS+ Client Retransmit Times Request Timeout Key : 2 : 5 : Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout Key : : : : : : 192.168.1.
CHAPTER 23 | Authentication Commands TACACS+ Client port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 23 | Authentication Commands TACACS+ Client tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. SYNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
CHAPTER 23 | Authentication Commands AAA AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 69: AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802.
CHAPTER 23 | Authentication Commands AAA group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters) DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE ◆ The accounting of Exec mode commands is only supported by TACACS+ servers.
CHAPTER 23 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 23 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 23 | Authentication Commands AAA ◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting. EXAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form exec to disable the authorization service.
CHAPTER 23 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. SYNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
CHAPTER 23 | Authentication Commands AAA EXAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. SYNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
CHAPTER 23 | Authentication Commands AAA EXAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
CHAPTER 23 | Authentication Commands Web Server user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 23 | Authentication Commands Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. SYNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
CHAPTER 23 | Authentication Commands Web Server ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. SYNTAX ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
CHAPTER 23 | Authentication Commands Web Server ◆ ◆ When you start HTTPS, the connection is established in this way: ■ The client authenticates the server using the server’s digital certificate. ■ The client and server negotiate a set of security protocols to use for the connection. ■ The client and server generate session keys for encrypting and decrypting data. The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6.
CHAPTER 23 | Authentication Commands Telnet Server TELNET SERVER This section describes commands used to configure Telnet management access to the switch.
CHAPTER 23 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. SYNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
CHAPTER 23 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# SECURE SHELL This section describes the commands used to configure the SSH server.
CHAPTER 23 | Authentication Commands Secure Shell Table 73: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions PE show users Shows SSH users, including privilege level and public key type PE Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
CHAPTER 23 | Authentication Commands Secure Shell 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
CHAPTER 23 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. NOTE: The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
CHAPTER 23 | Authentication Commands Secure Shell COMMAND MODE Global Configuration COMMAND USAGE ◆ The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
CHAPTER 23 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. SYNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) DEFAULT SETTING 10 seconds COMMAND MODE Global Configuration COMMAND USAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
CHAPTER 23 | Authentication Commands Secure Shell EXAMPLE Console#delete public-key admin dsa Console# ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate SYNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. DEFAULT SETTING Generates both the DSA and RSA key pairs. COMMAND MODE Privileged Exec COMMAND USAGE ◆ The switch uses only RSA Version 1 for SSHv1.
CHAPTER 23 | Authentication Commands Secure Shell ip ssh crypto This command clears the host key from memory (i.e. RAM). zeroize SYNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. DEFAULT SETTING Clears both the DSA and RSA key. COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
CHAPTER 23 | Authentication Commands Secure Shell RELATED COMMANDS ip ssh crypto host-key generate (641) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. COMMAND MODE Privileged Exec EXAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
CHAPTER 23 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX
CHAPTER 23 | Authentication Commands 802.1X Port Authentication 802.1X PORT AUTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 75: 802.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication Table 75: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator IC Display Information Commands show dot1x Shows all dot1x related information PE General Commands dot1x default This command sets all configurable dot1x global and port settings to their default values.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication EXAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# dot1x This command enables IEEE 802.1X port authentication globally on the system-auth-control switch. Use the no form to restore the default.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication COMMAND USAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
CHAPTER 23 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized operation-mode port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. SYNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# RELATED COMMANDS dot1x timeout re-authperiod (651) dot1x timeout This command sets the time that a switch port waits after the maximum quiet-period request count (see page 648) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a supp-timeout response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. SYNTAX dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x This command forces re-authentication on all ports or a specific interface. re-authenticate SYNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity This command sets the dot1x supplicant user name and password. Use the profile no form to delete the identity settings. SYNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae This command enables dot1x supplicant mode on a port. Use the no form supplicant to disable dot1x supplicant mode on a port.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response auth-period from the authenticator. Use the no form to restore the default setting. SYNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending start-period an EAPOL start frame to the authenticator. Use the no form to restore the default setting. SYNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 654). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.
CHAPTER 23 | Authentication Commands 802.1X Port Authentication ■ ■ ◆ Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. Reauthentication State Machine State – Current state (including initialize, reauthenticate). EXAMPLE Console#show dot1x Global 802.
CHAPTER 23 | Authentication Commands Management IP Filter Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# MANAGEMENT IP FILTER This section describes commands used to configure IP management access to the switch.
CHAPTER 23 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
CHAPTER 23 | Authentication Commands Management IP Filter TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
24 GENERAL SECURITY MEASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
CHAPTER 24 | General Security Measures Port Security PORT SECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
CHAPTER 24 | General Security Measures Port Security COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) RELATED COMMANDS show interfaces status (741) shutdown (736) mac-address-table static (790) NETWORK ACCESS (MAC ADDRESS AUTHENTICATION) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) Table 79: Network Access Commands (Continued) Command Function Mode show network-access macaddress-table Displays information for entries in the secure MAC address table PE show network-access macfilter Displays information for entries in the MAC filter tables PE network-access Use this command to enable aging for authenticated MAC addresses stored aging in the secure MAC address table.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) mask - Specifies a MAC address bit mask for a range of addresses. DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Specified addresses are exempt from network access authentication.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) COMMAND USAGE ◆ The reauthentication time is a global setting and applies to all ports. ◆ When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) ◆ While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off of the port. NOTE: Any configuration changes for dynamic QoS are not saved to the switch configuration file. EXAMPLE The following example enables the dynamic QoS feature on port 1.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)# network-access Use this command to assign all traffic on a port to a guest VLAN when guest-vlan 802.1x authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access Use this command to detect link-down events. When detected, the switch link-detection can shut down the port, send an SNMP trap, or both. Use the no form of link-down this command to disable this feature.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to set the maximum number of MAC addresses that can max-mac-count be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. SYNTAX network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# mac-authentication Use this command to configure the port response to a host MAC intrusion-action authentication failure. Use the no form of this command to restore the default.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) clear Use this command to clear entries from the secure MAC addresses table. network-access SYNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xxxx-xx-xx) interface - Specifies a port interface.
CHAPTER 24 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disa
CHAPTER 24 | General Security Measures Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. EXAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
CHAPTER 24 | General Security Measures Web Authentication NOTE: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 612). NOTE: Web authentication cannot be configured on trunk ports.
CHAPTER 24 | General Security Measures Web Authentication EXAMPLE Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding quiet-period the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. SYNTAX web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
CHAPTER 24 | General Security Measures Web Authentication EXAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# web-auth This command globally enables web authentication for the switch. Use the system-auth-control no form to restore the default.
CHAPTER 24 | General Security Measures Web Authentication web-auth This command ends all web authentication sessions connected to the port re-authenticate and forces the users to re-authenticate. (Port) SYNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
CHAPTER 24 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters interface and statistics.
CHAPTER 24 | General Security Measures DHCP Snooping show web-auth This command displays a summary of web authentication port parameters summary and statistics. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled . . .
CHAPTER 24 | General Security Measures DHCP Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. SYNTAX [no] ip dhcp snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
CHAPTER 24 | General Security Measures DHCP Snooping ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. ■ If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
CHAPTER 24 | General Security Measures DHCP Snooping ip dhcp snooping This command enables the DHCP Option 82 information relay for the information option switch. Use the no form to disable this function. SYNTAX [no] ip dhcp snooping information option DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
CHAPTER 24 | General Security Measures DHCP Snooping ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP information policy client packets that include Option 82 information. SYNTAX ip dhcp snooping information policy {drop | keep | replace} drop - Drops the client’s request packet instead of relaying it. keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
CHAPTER 24 | General Security Measures DHCP Snooping EXAMPLE This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# RELATED COMMANDS ip dhcp snooping (686) ip dhcp snooping vlan (690) ip dhcp snooping trust (691) ip dhcp snooping This command enables DHCP snooping on the specified VLAN. Use the no vlan form to restore the default setting.
CHAPTER 24 | General Security Measures DHCP Snooping ip dhcp snooping This command configures the specified interface as trusted. Use the no trust form to restore the default setting. SYNTAX [no] ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network.
CHAPTER 24 | General Security Measures DHCP Snooping clear ip dhcp This command removes all dynamically learned snooping entries from flash snooping database memory. flash COMMAND MODE Privileged Exec EXAMPLE Console(config)#ip dhcp snooping database flash Console(config)# ip dhcp snooping This command writes all dynamically learned snooping entries to flash database flash memory.
CHAPTER 24 | General Security Measures DHCP Snooping show ip dhcp This command shows the DHCP snooping configuration settings.
CHAPTER 24 | General Security Measures IP Source Guard IP SOURCE GUARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping" on page 685). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
CHAPTER 24 | General Security Measures IP Source Guard COMMAND USAGE ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. ◆ All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command (page 698).
CHAPTER 24 | General Security Measures IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. SYNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
CHAPTER 24 | General Security Measures IP Source Guard ◆ Filtering rules are implemented as follows: ■ If DHCP snooping is disabled (see page 686), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
CHAPTER 24 | General Security Measures IP Source Guard COMMAND USAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. EXAMPLE This example sets the maximum number of allowed entries in the binding table for port 5 to one entry.
CHAPTER 24 | General Security Measures ARP Inspection EXAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP INSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
CHAPTER 24 | General Security Measures ARP Inspection Table 84: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection statistics Shows statistics about the number of ARP packets processed, or dropped for various reasons PE show ip arp inspection vlan Shows configuration setting for VLANs, including ARP PE Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is completed ip arp inspection This command enables ARP Inspection glo
CHAPTER 24 | General Security Measures ARP Inspection ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use filter the no form to remove an ACL binding. SYNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 24 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log log-buffer logs message, and the rate at which these messages are sent. Use the no form to restore the default settings. SYNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
CHAPTER 24 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an validate ARP packet. Use the no form to restore the default setting. SYNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses.
CHAPTER 24 | General Security Measures ARP Inspection DEFAULT SETTING Disabled on all VLANs COMMAND MODE Global Configuration COMMAND USAGE ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
CHAPTER 24 | General Security Measures ARP Inspection COMMAND MODE Interface Configuration (Port) COMMAND USAGE ◆ This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150 Console(config-if)# ip arp inspection This command sets a port as trusted, and thus exempted from ARP trust Inspection.
CHAPTER 24 | General Security Measures ARP Inspection show ip arp This command displays the global configuration settings for ARP inspection Inspection.
CHAPTER 24 | General Security Measures ARP Inspection show ip arp This command shows information about entries stored in the log, including inspection log the associated VLAN, port, and address components. COMMAND MODE Privileged Exec EXAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
CHAPTER 24 | General Security Measures Denial of Service Protection EXAMPLE Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static DENIAL OF SERVICE PROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
CHAPTER 24 | General Security Measures Denial of Service Protection EXAMPLE Console(config)#flow tcp-udp-port-zero forward Console(config)# – 709 –
CHAPTER 24 | General Security Measures Denial of Service Protection – 710 –
25 ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
CHAPTER 25 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. SYNTAX [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
CHAPTER 25 | Access Control Lists IPv4 ACLs permit, deny, This command adds a rule to a Standard IPv4 ACL. The rule sets a filter redirect-to condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. SYNTAX {permit | deny | redirect-to interface} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny | redirect-to interface} {any | source bitmask | host source} interface ethernet unit/port unit - Unit identifier.
CHAPTER 25 | Access Control Lists IPv4 ACLs RELATED COMMANDS access-list ip (712) Time Range (572) permit, deny, This command adds a rule to an Extended IPv4 ACL. The rule sets a filter redirect-to condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
CHAPTER 25 | Access Control Lists IPv4 ACLs host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-63) sport – Protocol14 source port number. (Range: 0-65535) dport – Protocol14 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match.
CHAPTER 25 | Access Control Lists IPv4 ACLs For example, use the code value and mask below to catch packets with the following flags set: ■ ■ ■ ◆ SYN flag valid, use “control-code 2 2” Both SYN and ACK valid, use “control-code 18 18” SYN valid and ACK invalid, use “control-code 2 18” Due to a ASIC limitation, the switch only checks the leftmost six priority bits.
CHAPTER 25 | Access Control Lists IPv4 ACLs ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port. SYNTAX ip access-group acl-name in [time-range time-range-name] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
CHAPTER 25 | Access Control Lists MAC ACLs show ip access-list This command displays the rules for configured IPv4 ACLs. SYNTAX show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL. (Maximum length: 16 characters) COMMAND MODE Privileged Exec EXAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.
CHAPTER 25 | Access Control Lists MAC ACLs access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. SYNTAX [no] access-list mac acl-name acl-name – Name of the ACL.
CHAPTER 25 | Access Control Lists MAC ACLs NOTE: The default is for Ethernet II packets.
CHAPTER 25 | Access Control Lists MAC ACLs host – A specific MAC address. source – Source MAC address. destination – Destination MAC address range with bitmask. address-bitmask15 – Bitmask for MAC address (in hexadecimal format). vid – VLAN ID. (Range: 1-4095) vid-bitmask15 – VLAN bitmask. (Range: 1-4095) protocol – A specific Ethernet protocol number. (Range: 600-ffff hex.) protocol-bitmask15 – Protocol bitmask. (Range: 600-ffff hex.) time-range-name - Name of the time range.
CHAPTER 25 | Access Control Lists MAC ACLs mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. SYNTAX mac access-group acl-name in [time-range time-range-name] acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
CHAPTER 25 | Access Control Lists ARP ACLs show mac This command displays the rules for configured MAC ACLs. access-list SYNTAX show mac access-list [acl-name] acl-name – Name of the ACL.
CHAPTER 25 | Access Control Lists ARP ACLs COMMAND MODE Global Configuration COMMAND USAGE ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 128 rules.
CHAPTER 25 | Access Control Lists ARP ACLs destination-mac – Destination MAC address range with bitmask. mac-address-bitmask16 – Bitmask for MAC address (in hexadecimal format). log - Logs a packet when it matches the access control entry. DEFAULT SETTING None COMMAND MODE ARP ACL COMMAND USAGE New rules are added to the end of the list. EXAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0.
CHAPTER 25 | Access Control Lists ACL Information ACL INFORMATION This section describes commands used to display ACL information. Table 91: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port PE show access-list Show all ACLs and associated rules PE show access-group This command shows the port assignments of ACLs.
CHAPTER 25 | Access Control Lists ACL Information EXAMPLE Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.
CHAPTER 25 | Access Control Lists ACL Information – 728 –
26 INTERFACE COMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
CHAPTER 26 | Interface Commands Interface Configuration Table 92: Interface Commands (Continued) Command Function Mode power-save Enables power savings mode on the specified port IC show power-save Shows the configuration settings for power savings PE Power Savings * Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the autotraffic-control command (page 777).
CHAPTER 26 | Interface Commands Interface Configuration alias This command configures an alias name for the interface. Use the no form to remove the alias name. SYNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface. (Range: 1-64 characters) DEFAULT SETTING None COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The alias is displayed in the running-configuration file.
CHAPTER 26 | Interface Commands Interface Configuration DEFAULT SETTING 100BASE-FX: 100full (SFP) 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The 1000BASE-T standard does not support forced mode. Autonegotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
CHAPTER 26 | Interface Commands Interface Configuration COMMAND USAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name. EXAMPLE The following example adds a description to port 4.
CHAPTER 26 | Interface Commands Interface Configuration EXAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# RELATED COMMANDS negotiation (735) capabilities (flowcontrol, symmetric) (731) giga-phy-mode This command forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports. Use the no form to restore the default mode.
CHAPTER 26 | Interface Commands Interface Configuration EXAMPLE This forces the switch port to master mode on port 24. Console(config)#interface ethernet 1/50 Console(config-if)#no negotiation Console(config-if)#speed-duplex 1000full Console(config-if)#giga-phy-mode master Console(config-if)# negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation.
CHAPTER 26 | Interface Commands Interface Configuration shutdown This command disables an interface. To restart a disabled interface, use the no form. SYNTAX [no] shutdown DEFAULT SETTING All interfaces are enabled. COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved.
CHAPTER 26 | Interface Commands Interface Configuration COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The 1000BASE-T standard does not support forced mode. Autonegotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
CHAPTER 26 | Interface Commands Interface Configuration Multicast Storm Control: Disabled Unknown Unicast Storm Control: Disabled COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
CHAPTER 26 | Interface Commands Interface Configuration clear counters This command clears statistics on an interface. SYNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-12) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
CHAPTER 26 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters SYNTAX show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-12) DEFAULT SETTING Shows the counters for all interfaces. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE If no interface is specified, information on all interfaces is displayed.
CHAPTER 26 | Interface Commands Interface Configuration ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets ===== Port Utilization (recent 300 seconds) ===== 0 Octe
CHAPTER 26 | Interface Commands Interface Configuration EXAMPLE Console#show interfaces status ethernet 1/25 Information of Eth 1/21 Port Type : 1000T MAC Address : B4-0E-DC-34-E6-3D Configuration: Name : Port Admin : Up Speed-Duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled VLAN Trunking : Disabled LACP : Disabled Port Security : Disabled Max MAC Count : 0 Port Security Action : None Media Type (Combo Forced Mode) : None Giga PHY Mode : Master Current Status:
CHAPTER 26 | Interface Commands Interface Configuration EXAMPLE This example shows the configuration setting for port 25.
CHAPTER 26 | Interface Commands Interface Configuration Table 93: show interfaces switchport - display description (Continued) Field Description 802.1Q-tunnel Mode Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink (page 838). 802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets (page 839).
CHAPTER 26 | Interface Commands Cable Diagnostics Length : Link length Link length Vendor Name: Vendor OUI : Vendor PN : Vendor Rev : Vendor SN : Date code : Options : Console# supported for OM2 fiber, 550m supported for OM1 fiber, 280m SMC Networks 0 SMC1GSFP-SX V1.1 V1.1 2009.5.19 Cable Diagnostics test This command performs cable diagnostics on the specified port to diagnose cable-diagnostics any cable faults (short, open, etc.) and report the cable length.
CHAPTER 26 | Interface Commands Cable Diagnostics ◆ Ports are linked down while running cable diagnostics. ◆ To ensure more accurate measurement of the length to a fault, first disable power-saving mode (using the no power-save command) on the link partner before running cable diagnostics.
CHAPTER 26 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. SYNTAX [no] power-save COMMAND MODE Interface Configuration (Ethernet, Ports 25-26) COMMAND USAGE ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
CHAPTER 26 | Interface Commands Power Savings EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#power-save Console(config-if)# show power-save This command shows the configuration settings for power savings. SYNTAX show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
27 LINK AGGREGATION COMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
CHAPTER 27 | Link Aggregation Commands Manual Configuration Commands ◆ Any of the Fast Ethernet ports on the front panel can be trunked together, including ports of different media types. ◆ Any of the Gigabit Ethernet ports on the front panel can be trunked together, including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
CHAPTER 27 | Link Aggregation Commands Dynamic Configuration Commands EXAMPLE The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
CHAPTER 27 | Link Aggregation Commands Dynamic Configuration Commands Console#show interfaces status port-channel 1 Information of Trunk 1 Port Type : 100TX MAC Address : B4-0E-DC-39-F4-4D Configuration: Name : Port Admin : Up Speed-Duplex : Auto Capabilities : 10half, 10full, 100half, 100full Flow Control : Disabled VLAN Trunking : Disabled Port Security : Disabled Max MAC Count : 0 Port Security Action : None Media Type (Combo Forced Mode) : None Giga PHY Mode : Master Current Status: Created By : LACP L
CHAPTER 27 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority.
CHAPTER 27 | Link Aggregation Commands Dynamic Configuration Commands EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
CHAPTER 27 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. (Port Channel) Use the no form to restore the default setting. SYNTAX lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
CHAPTER 27 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. SYNTAX show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
CHAPTER 27 | Link Aggregation Commands Trunk Status Display Commands Table 95: show lacp counters - display description (Continued) Field Description LACPDUs Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
CHAPTER 27 | Link Aggregation Commands Trunk Status Display Commands Table 96: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
CHAPTER 27 | Link Aggregation Commands Trunk Status Display Commands Table 97: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner. Admin State Administrative values of the partner’s state parameters. (See preceding table.
CHAPTER 27 | Link Aggregation Commands Trunk Status Display Commands – 760 –
28 PORT MIRRORING COMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
CHAPTER 28 | Port Mirroring Commands Local Port Mirroring Commands tx - Mirror transmitted packets. both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. DEFAULT SETTING ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
CHAPTER 28 | Port Mirroring Commands Local Port Mirroring Commands EXAMPLE The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# show port monitor This command displays mirror information. SYNTAX show port monitor [interface | vlan vlan-id | mac-address mac-address] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN MIRRORING COMMANDS Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Local/Remote Mirror – The destination of a local mirror session (created with the port monitor command) cannot be used as the destination for RSPAN traffic. Only two mirror sessions are allowed. Both sessions can be allocated to remote mirroring, unless local mirroring is enabled (which is limited to a single session). ◆ Spanning Tree – If the spanning tree is disabled, BPDUs will not be flooded onto the RSPAN VLAN.
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands both - Mirror both received and transmitted packets. DEFAULT SETTING Both TX and RX traffic is mirrored COMMAND MODE Global Configuration COMMAND USAGE ◆ One or more source ports can be assigned to the same RSPAN session, either on the same switch or on different switches. ◆ Only ports can be configured as an RSPAN source – static and dynamic trunks are not allowed.
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN destination port – access ports are not allowed (see switchport mode).
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands destination - Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session. uplink - A port configured to receive or transmit remotely mirrored traffic. interface - ethernet unit/port ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ Only 802.1Q trunk or hybrid (i.e.
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands COMMAND MODE Global Configuration COMMAND USAGE The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the vlan command). EXAMPLE Console(config)#no rspan session 1 Console(config)# show rspan Use this command to displays the configuration settings for an RSPAN session. SYNTAX show rspan session [session-id] session-id – A number identifying this RSPAN session.
CHAPTER 28 | Port Mirroring Commands RSPAN Mirroring Commands – 770 –
29 RATE LIMIT COMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
CHAPTER 29 | Rate Limit Commands actually be 100 Kbps, or 1/5 of the 500 Kbps limit set by the storm control command. It is therefore not advisable to use both of these commands on the same interface. ◆ See the description of effective rate limiting in the Command Usage under "Rate Limiting" on page 227. NOTE: Due to a chip limitation, the switch supports only one limit for both ingress rate limiting and storm control (including broadcast unknown unicast, multicast, and broadcast storms).
30 AUTOMATIC TRAFFIC CONTROL COMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
CHAPTER 30 | Automatic Traffic Control Commands Table 103: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the port-traps atc upper threshold for automatic storm control and multicast-control-apply the apply timer expires IC (Port) snmp-server enable port-traps atc multicast-controlrelease Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires I
CHAPTER 30 | Automatic Traffic Control Commands ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged. Note that if the control action has shut down a port, it can only be manually re-enabled using the auto-traffic-control control-release command). ◆ The traffic control response of rate limiting can be released automatically or manually.
CHAPTER 30 | Automatic Traffic Control Commands Threshold Commands Threshold Commands auto-traffic-control This command sets the time at which to apply the control response after apply-timer ingress traffic has exceeded the upper threshold. Use the no form to restore the default setting. SYNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
CHAPTER 30 | Automatic Traffic Control Commands Threshold Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds) DEFAULT SETTING 900 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the delay after which the control response can be terminated.
CHAPTER 30 | Automatic Traffic Control Commands Threshold Commands EXAMPLE This example enables automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# auto-traffic-control This command sets the control action to limit ingress traffic or shut down action the offending port. Use the no form to restore the default setting.
CHAPTER 30 | Automatic Traffic Control Commands Threshold Commands EXAMPLE This example sets the control response for broadcast traffic on port 1.
CHAPTER 30 | Automatic Traffic Control Commands Threshold Commands EXAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a alarm-fire-threshold storm control response is triggered after the apply timer expires.
CHAPTER 30 | Automatic Traffic Control Commands Threshold Commands auto-traffic-control This command automatically releases a control response of rate-limiting auto-control-release after the time specified in the auto-traffic-control release-timer command has expired. SYNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
CHAPTER 30 | Automatic Traffic Control Commands SNMP Trap Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release interface ethernet 1/1 Console#(config-if) SNMP Trap Commands snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered. Use the no broadcast-alarm- form to disable this trap.
CHAPTER 30 | Automatic Traffic Control Commands SNMP Trap Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-fire-threshold (780) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the broadcast-control- no form to disable this trap.
CHAPTER 30 | Automatic Traffic Control Commands SNMP Trap Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-controlrelease Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-clear-threshold (779) auto-traffic-control action (778) auto-traffic-control release-timer (776) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower port-traps atc threshold after a storm control response has bee
CHAPTER 30 | Automatic Traffic Control Commands SNMP Trap Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-fire-threshold (780) snmp-server enable This command sends a trap when multicast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the multicast-control- no form to disable this trap.
CHAPTER 30 | Automatic Traffic Control Commands ATC Display Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-controlrelease Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-clear-threshold (779) auto-traffic-control action (778) auto-traffic-control release-timer (776) ATC Display Commands show auto- This command shows global configuration settings for automatic storm traffic-control control.
CHAPTER 30 | Automatic Traffic Control Commands ATC Display Commands EXAMPLE Console#show auto-traffic-control interface ethernet 1/1 Eth 1/1 Information -----------------------------------------------------------------------Storm Control: Broadcast Multicast State: Disabled Disabled Action: rate-control rate-control Auto Release Control: Disabled Disabled Alarm Fire Threshold(Kpps): 128 128 Alarm Clear Threshold(Kpps):128 128 Trap Storm Fire: Disabled Disabled Trap Storm Clear: Disabled Disabled Trap Traf
CHAPTER 30 | Automatic Traffic Control Commands ATC Display Commands – 788 –
31 ADDRESS TABLE COMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
CHAPTER 31 | Address Table Commands EXAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use static the no form to remove an address. SYNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 31 | Address Table Commands EXAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear This command removes any learned entries from the forwarding database. mac-address-table dynamic DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#clear mac-address-table dynamic Console# show This command shows classes of entries in the bridge-forwarding database.
CHAPTER 31 | Address Table Commands COMMAND USAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ Learn - Dynamic address entries Config - Static entry ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
CHAPTER 31 | Address Table Commands show This command shows the number of MAC addresses used and the number mac-address-table of available MAC addresses for the overall system or for an interface. count SYNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 31 | Address Table Commands – 794 –
32 SPANNING TREE COMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
CHAPTER 32 | Spanning Tree Commands Table 105: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst portpriority Configures the priority of an instance in the MST IC spanning-tree port-priority Configures the spanning tree priority of an interface IC spanning-tree root-guard Prevents a designated po
CHAPTER 32 | Spanning Tree Commands EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with cisco-prestandard Cisco prestandard versions. Use the no form to restore the default setting.
CHAPTER 32 | Spanning Tree Commands COMMAND USAGE This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
CHAPTER 32 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally max-age for this switch. Use the no form to restore the default. SYNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
CHAPTER 32 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
CHAPTER 32 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning pathcost method Tree and Multiple Spanning Tree. Use the no form to restore the default. SYNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
CHAPTER 32 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
CHAPTER 32 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE This command limits the maximum transmission rate for BPDUs. EXAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. SYNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
CHAPTER 32 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. SYNTAX mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
CHAPTER 32 | Spanning Tree Commands COMMAND MODE MST Configuration COMMAND USAGE ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
CHAPTER 32 | Spanning Tree Commands EXAMPLE Console(config-mstp)#name R&D Console(config-mstp)# RELATED COMMANDS revision (806) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. SYNTAX revision number number - Revision number of the spanning tree.
CHAPTER 32 | Spanning Tree Commands COMMAND USAGE ◆ This command filters all Bridge Protocol Data Units (BPDUs) that would otherwise be transmitted on an interface to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
CHAPTER 32 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard Console(config-if)# RELATED COMMANDS spanning-tree edge-port (809) spanning-tree spanning-disabled (816) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode.
CHAPTER 32 | Spanning Tree Commands COMMAND USAGE ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 801) is set to short, the maximum value for path cost is 65,535.
CHAPTER 32 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and link-type Multiple Spanning Tree. Use the no form to restore the default. SYNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
CHAPTER 32 | Spanning Tree Commands COMMAND USAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
CHAPTER 32 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in loopback-detection the discarding state because a loopback BPDU was received. Use the no release-mode form to restore the default. SYNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
CHAPTER 32 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback loopback-detection BPDU detections. Use the no form to restore the default.
CHAPTER 32 | Spanning Tree Commands ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify autoconfiguration mode. ◆ Path cost takes precedence over interface priority.
CHAPTER 32 | Spanning Tree Commands RELATED COMMANDS spanning-tree mst cost (813) spanning-tree This command configures the priority for the specified interface. Use the port-priority no form to restore the default. SYNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port.
CHAPTER 32 | Spanning Tree Commands COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
CHAPTER 32 | Spanning Tree Commands spanning-tree This command manually releases a port placed in discarding state by loopback-detection loopback-detection. release SYNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 32 | Spanning Tree Commands EXAMPLE Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). SYNTAX show spanning-tree [interface | mst [instance-id]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 32 | Spanning Tree Commands EXAMPLE Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance : 0 VLANs Configured : 1-4093 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max.
CHAPTER 32 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree.
33 VLAN COMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
CHAPTER 33 | VLAN Commands GVRP and Bridge Extension Commands GVRP AND BRIDGE EXTENSION COMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
CHAPTER 33 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. SYNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
CHAPTER 33 | VLAN Commands GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the forbidden vlan list of forbidden VLANs. SYNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
CHAPTER 33 | VLAN Commands GVRP and Bridge Extension Commands COMMAND USAGE GVRP cannot be enabled for ports set to Access mode using the switchport mode command. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
CHAPTER 33 | VLAN Commands GVRP and Bridge Extension Commands DEFAULT SETTING Shows all GARP timers. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join Timer: 20 centiseconds Leave Timer: 60 centiseconds Leaveall Timer: 1000 centiseconds Console# RELATED COMMANDS garp timer (823) show gvrp This command shows if GVRP is enabled.
CHAPTER 33 | VLAN Commands Editing VLAN Groups EDITING VLAN GROUPS Table 110: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
CHAPTER 33 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. SYNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4093) name - Keyword to be followed by the VLAN name.
CHAPTER 33 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
CHAPTER 33 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# RELATED COMMANDS shutdown (736) interface (730) vlan (828) switchport This command configures the acceptable frame types for a port. Use the acceptable-frame- no form to restore the default.
CHAPTER 33 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the vlan no form to restore the default. SYNTAX switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
CHAPTER 33 | VLAN Commands Configuring VLAN Interfaces switchport ingress- This command enables ingress filtering for an interface. Use the no form to filtering restore the default. SYNTAX [no] switchport ingress-filtering DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Ingress filtering only affects tagged frames.
CHAPTER 33 | VLAN Commands Configuring VLAN Interfaces the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. DEFAULT SETTING Access mode, with the PVID set to VLAN 1. COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE Access mode is mutually exclusive with VLAN trunking (see the vlantrunking command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
CHAPTER 33 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# vlan-trunking This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature.
CHAPTER 33 | VLAN Commands Displaying VLAN Information interface, then that interface cannot be set to access mode, and vice versa. ◆ To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
CHAPTER 33 | VLAN Commands Configuring IEEE 802.1Q Tunneling DEFAULT SETTING Shows all VLANs.
CHAPTER 33 | VLAN Commands Configuring IEEE 802.1Q Tunneling General Configuration Guidelines for QinQ 1. Configure the switch to QinQ mode (dot1q-tunnel system-tunnelcontrol). 2. Create a SPVLAN (vlan). 3. Configure the QinQ tunnel access port to dot1Q-tunnel access mode (switchport dot1q-tunnel mode). 4. Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
CHAPTER 33 | VLAN Commands Configuring IEEE 802.1Q Tunneling COMMAND USAGE QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. EXAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)# RELATED COMMANDS show dot1q-tunnel (840) show interfaces switchport (742) switchport This command configures an interface as a QinQ tunnel port. Use the no dot1q-tunnel mode form to disable QinQ on the interface.
CHAPTER 33 | VLAN Commands Configuring IEEE 802.1Q Tunneling RELATED COMMANDS show dot1q-tunnel (840) show interfaces switchport (742) switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel dot1q-tunnel tpid port. Use the no form to restore the default setting. SYNTAX switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.
CHAPTER 33 | VLAN Commands Configuring Port-based Traffic Segmentation show dot1q-tunnel This command displays information about QinQ tunnel ports.
CHAPTER 33 | VLAN Commands Configuring Port-based Traffic Segmentation DEFAULT SETTING Disabled globally No segmented port groups are defined. COMMAND MODE Global Configuration COMMAND USAGE ◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
CHAPTER 33 | VLAN Commands Configuring Protocol-based VLANs Ethernet 1/8 Console# CONFIGURING PROTOCOL-BASED VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 33 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or to add specific protocols to a protocol-group group. Use the no form to remove a protocol group. (Configuring Groups) SYNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame20 - Frame type used by this protocol.
CHAPTER 33 | VLAN Commands Configuring Protocol-based VLANs COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
CHAPTER 33 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------1 ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the protocol-vlan selected interfaces.
CHAPTER 33 | VLAN Commands Configuring IP Subnet VLANs CONFIGURING IP SUBNET VLANS When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
CHAPTER 33 | VLAN Commands Configuring IP Subnet VLANs is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. EXAMPLE The following example assigns traffic for the subnet 192.168.12.192, mask 255.
CHAPTER 33 | VLAN Commands Configuring MAC Based VLANs CONFIGURING MAC BASED VLANS When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. EXAMPLE The following example assigns traffic from source MAC address 00-00-0011-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 Console(config)# show mac-vlan This command displays MAC address-to-VLAN assignments.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs Table 118: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports IC switchport voice vlan security Enables Voice VLAN security on ports IC show voice vlan Displays Voice VLAN settings PE voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. SYNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) DEFAULT SETTING 1440 minutes COMMAND MODE Global Configuration COMMAND USAGE The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs voice vlan mac- This command specifies MAC address ranges to add to the OUI Telephony address list. Use the no form to remove an entry from the list. SYNTAX voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the network.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs switchport voice This command specifies the Voice VLAN mode for ports. Use the no form to vlan disable the Voice VLAN feature on the port. SYNTAX switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. auto - The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs COMMAND MODE Interface Configuration COMMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. EXAMPLE The following example sets the CoS priority to 5 on port 1.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs EXAMPLE The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# switchport voice This command enables security filtering for VoIP traffic on a port. Use the vlan security no form to disable filtering on a port.
CHAPTER 33 | VLAN Commands Configuring Voice VLANs DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age (minutes) -------- -------- -------- --------- -------- ------------Eth 1/ 1 Auto Enabled OUI 6 100 Eth 1/ 2 Disabled Disabled OUI 6 NA Eth 1/ 3 Manual Enabled OUI 5 100 Eth 1/ 4 Auto En
34 CLASS OF SERVICE COMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 2) response time for software applications assigned a specific priority value. ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# RELATED COMMANDS queue mode (858) show queue weight (861) switchport priority This command sets a priority for incoming untagged frames. Use the no default form to restore the default value.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# RELATED COMMANDS show interfaces switchport (742) show queue mode This command shows the current queue mode.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) PRIORITY COMMANDS (LAYER 3 AND 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) DEFAULT SETTING. Table 122: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS COMMAND MODE Interface Configuration (Port, Static Aggregation) COMMAND USAGE ◆ The default mapping of CoS to PHB values shown in Table 122 is based on the recommended settings in IEEE 802.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior dscp-mutation and drop precedence values for priority processing. Use the no form to restore the default settings. SYNTAX qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. ◆ Random Early Detection starts dropping yellow and red packets when the buffer fills up to 0x60 packets, and then starts dropping any packets regardless of color when the buffer fills up to 0x80 packets. ◆ The specified mapping applies to all interfaces.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. SYNTAX qos map trust-mode {dscp | cos} no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP. cos - Sets the QoS mapping mode to CoS.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp SYNTAX show qos map cos-dscp COMMAND MODE Privileged Exec EXAMPLE Console#show qos map cos-dscp CoS-DSCP Map.
CHAPTER 34 | Class of Service Commands Priority Commands (Layer 3 and 4) 6 : (7,0) (7,1) (7,0) (7,3) Console# show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue SYNTAX show qos map phb-queue COMMAND MODE Privileged Exec EXAMPLE Console#show qos map phb-queue phb-queue map: phb: 0 1 2 3 4 5 6 7 ------------------------------------------------------Queue: 1 0 0 1 2 2 3 3 Console# show qos map This command shows the QoS mapping mode.
35 QUALITY OF SERVICE COMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 35 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. 3.
CHAPTER 35 | Quality of Service Commands COMMAND USAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 873). The policy map is then bound by a service policy to an interface (page 884). A service policy defines packet classification, service tagging, and bandwidth policing.
CHAPTER 35 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. SYNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) dscp - A Differentiated Service Code Point value.
CHAPTER 35 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
CHAPTER 35 | Quality of Service Commands COMMAND USAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 873) before assigning it to a Policy Map.
CHAPTER 35 | Quality of Service Commands ◆ ■ set ip dscp command sets the IP DSCP value in matching packets. (This modifies packet priority in the IP header.) ■ police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
CHAPTER 35 | Quality of Service Commands COMMAND MODE Policy Map Class Configuration COMMAND USAGE ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. ◆ Policing is based on a token bucket, where bucket depth (i.e.
CHAPTER 35 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. SYNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
CHAPTER 35 | Quality of Service Commands ◆ The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
CHAPTER 35 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets
CHAPTER 35 | Quality of Service Commands violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) DEFAULT SETTING None COMMAND MODE Policy Map Class Configuration COMMAND USAGE ◆ You can configure up to 16 policers (i.e.
CHAPTER 35 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: ■ ■ ■ If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
CHAPTER 35 | Quality of Service Commands COMMAND USAGE ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets. ◆ The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command.
CHAPTER 35 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 35 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 35 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. SYNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) DEFAULT SETTING Displays all class maps.
CHAPTER 35 | Quality of Service Commands Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface interface. SYNTAX show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
36 MULTICAST FILTERING COMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping Table 127: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into the attached VLAN GC ip igmp snooping unsolicited-reportinterval Specifies how often the upstream interface should transmit unsolicited IGMP reports (when proxy reporting is enabled) GC ip igmp snooping version Configures the IGMP version for snooping GC ip igmp snooping version- Discards r
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it. SYNTAX [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree tcn-flood topology change notification (TCN) occurs. Use the no form to disable flooding. SYNTAX [no] ip igmp snooping tcn-flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query tcn-query-solicit solicitation when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to version restore the default.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Global: Disabled VLAN: Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. ◆ When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command immediately deletes a member port of a multicast service if vlan immediate- a leave packet is received at that port and immediate-leave is enabled for leave the parent VLAN. Use the no form to restore the default.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the number of IGMP proxy group-specific or vlan last-memb- group-and-source-specific query messages that are sent out before the query-count system assumes there are no more local members. Use the no form to restore the default.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP groupspecific query message, and starts a timer. If no reports are received before the timer expires, the group record is deleted, and a report is sent to the upstream multicast router.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. ◆ This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN. EXAMPLE This example disables sending of multicast router solicitation messages on VLAN 1.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ◆ This command applies when the switch is serving as the querier (page 890), or as a proxy host when IGMP snooping proxy reporting is enabled (page 889). EXAMPLE Console(config)#ip igmp snooping vlan 1 proxy-query-interval 150 Console(config)# ip igmp snooping This command configures the maximum time the system waits for a vlan query-resp- response to general queries. Use the no form to restore the default.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command adds a port to a multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP snooping Router port expire time Router alert check Tcn flood Tcn query solicit Unregistered data flood Unsolicited report interval Version exclusive Version Proxy reporting Querier Vlan 1: -------IGMP snooping IGMP snooping running status Version Version exclusive Immediate leave Last member query interval Last member query count General query sup
CHAPTER 36 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static Console# show ip igmp This command shows known multicast group, source, and host port snooping group mappings for the specified VLAN interface, or for all interfaces if none is specified.
CHAPTER 36 | Multicast Filtering Commands Static Multicast Routing STATIC MULTICAST ROUTING This section describes commands used to configure static multicast routing on the switch. Table 128: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping This command statically configures a (Layer 2) multicast router port on the vlan mrouter specified VLAN.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE The following shows how to configure port 11 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# IGMP FILTERING AND THROTTLING In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE ◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number. SYNTAX {permit | deny} DEFAULT SETTING Deny COMMAND MODE IGMP Profile Configuration COMMAND USAGE ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the (Interface switch. Use the no form to remove a profile from an interface. Configuration) SYNTAX [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling DEFAULT SETTING 255 COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# show ip igmp filter This command displays the global and interface settings for IGMP filtering. SYNTAX show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 36 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command displays the interface settings for IGMP throttling. throttle interface SYNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration MULTICAST VLAN REGISTRATION This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration DEFAULT SETTING MVR is disabled. No MVR group address is defined. The default number of contiguous addresses is 0. MVR VLAN ID is 1. COMMAND MODE Global Configuration COMMAND USAGE ◆ Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration ◆ Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see the switchport mode command). ◆ One or more interfaces may be configured as MVR source ports.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration COMMAND USAGE ◆ Multicast groups can be statically assigned to a receiver port using this command. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration EXAMPLE The following shows the global MVR settings: Console#show mvr MVR Config Status MVR Running Status MVR Multicast VLAN MVR Group Address MVR Group Count Console# : : : : : Enabled Active 1 225.0.0.5 10 Table 131: show mvr - display description Field Description MVR Config Status Shows if MVR is globally enabled on the switch.
CHAPTER 36 | Multicast Filtering Commands Multicast VLAN Registration The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Forwarding Entry Count:1 Group Address Source Address -------------------------225.0.0.
37 LLDP COMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
CHAPTER 37 | LLDP Commands Table 134: LLDP Commands (Continued) Command Function Mode lldp basic-tlv systemname Configures an LLDP-enabled port to advertise its IC system name lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related VLAN information IC lldp dot1-tlv pvid* Configures an LLDP-enabled port to advertise its IC default VLAN ID lldp dot1-tlv vlan-name* Configu
CHAPTER 37 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. SYNTAX [no] lldp DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP holdtime-multiplier advertisements. Use the no form to restore the default setting.
CHAPTER 37 | LLDP Commands lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit count during the activation process of the LLDP-MED Fast Start mechanism. SYNTAX lldp med-fast-start-count packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) DEFAULT SETTING 4 packets COMMAND MODE Global Configuration COMMAND USAGE This parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port.
CHAPTER 37 | LLDP Commands should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. EXAMPLE Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.
CHAPTER 37 | LLDP Commands COMMAND USAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. EXAMPLE Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
CHAPTER 37 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. SYNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
CHAPTER 37 | LLDP Commands enterprise specific or other starting points for the search, such as the Interface or Entity MIB. ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 37 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-capabilities DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
CHAPTER 37 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-name name. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
CHAPTER 37 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise port-based proto-vid protocol VLAN information. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv proto-vid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the port-based protocol VLANs configured on this interface (see "Configuring Protocol-based VLANs" on page 842).
CHAPTER 37 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN vlan-name name. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv vlan-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the name of all VLANs to which this interface has been assigned. See "switchport allowed vlan" on page 831 and "protocolvlan protocol-group (Configuring Interfaces)" on page 843.
CHAPTER 37 | LLDP Commands lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum max-frame frame size. Use the no form to disable this feature. SYNTAX [no] lldp dot3-tlv max-frame DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE Refer to "Frame Size" on page 533 for information on configuring the maximum frame size for this switch.
CHAPTER 37 | LLDP Commands COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Use this command without any keywords to advertise location identification details. ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776.
CHAPTER 37 | LLDP Commands Console(config-if)#lldp Console(config-if)#lldp Console(config-if)#lldp Console(config-if)#lldp Console(config-if)#lldp Console(config-if)#lldp Console(config-if)# med-location med-location med-location med-location med-location med-location civic-addr civic-addr civic-addr civic-addr civic-addr civic-addr 18 Avenue 19 320 27 5 28 509B country US what 2 lldp This command enables the transmission of SNMP trap notifications about med-notification LLDP-MED changes.
CHAPTER 37 | LLDP Commands lldp med-tlv ext-poe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature.
CHAPTER 37 | LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv location DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises location identification details.
CHAPTER 37 | LLDP Commands lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network-policy network policy configuration. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv network-policy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
CHAPTER 37 | LLDP Commands ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
CHAPTER 37 | LLDP Commands Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.
CHAPTER 37 | LLDP Commands COMMAND MODE Privileged Exec EXAMPLE Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : ECS3510-26P Managed FE POE Switch System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.
CHAPTER 37 | LLDP Commands COMMAND MODE Privileged Exec EXAMPLE Note that an IP phone or other end-node device which advertises LLDPMED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
CHAPTER 37 | LLDP Commands show lldp info This command shows statistics based on traffic received through all statistics attached LLDP-enabled interfaces. SYNTAX show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 37 | LLDP Commands – 944 –
38 DOMAIN NAME SERVICE COMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
CHAPTER 38 | Domain Name Service Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
CHAPTER 38 | Domain Name Service Commands ◆ If all name servers are deleted, DNS will automatically be disabled. EXAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
CHAPTER 38 | Domain Name Service Commands Name Server List: Console# RELATED COMMANDS ip domain-list (945) ip name-server (949) ip domain-lookup (946) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. SYNTAX [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
CHAPTER 38 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. SYNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server. server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
CHAPTER 38 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. SYNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-100 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 38 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. SYNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. EXAMPLE This example clears all dynamic entries from the DNS table.
CHAPTER 38 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. COMMAND MODE Privileged Exec EXAMPLE Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Domain --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 137: show dns cache - display description Field Description No.
CHAPTER 38 | Domain Name Service Commands Table 138: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
CHAPTER 38 | Domain Name Service Commands – 954 –
39 DHCP COMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. Table 139: DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP CLIENT Use the commands in this section to allow the switch’s VLAN interfaces to dynamically acquire IP address information.
CHAPTER 39 | DHCP Commands DHCP for IPv4 hex - A hexadecimal value. (Range: 1-64 characters) DEFAULT SETTING Class identifier option enabled, with the name Edge-Core COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Use this command without a keyword to restore the default setting.
CHAPTER 39 | DHCP Commands DHCP for IPv6 ◆ If the BOOTP or DHCP server has been moved to a different domain, the network portion of the address provided to the client will be based on this new domain. EXAMPLE In the following example, the device is reassigned the same address.
CHAPTER 39 | DHCP Commands DHCP for IPv6 specified interface will include the rapid commit option in all solicit messages. EXAMPLE Console(config)#ipv6 dhcp client rapid-commit vlan 2 Console(config)# ipv6 dhcp restart This command submits a DHCPv6 client request. client vlan SYNTAX ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
CHAPTER 39 | DHCP Commands DHCP for IPv6 This combination is known as DHCPv6 stateless, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings. ◆ DHCPv6 clients build a list of servers by sending a solicit message and collecting advertised message replies. These servers are then ranked based on their advertised preference value.
CHAPTER 39 | DHCP Commands DHCP for IPv6 EXAMPLE Console#show ipv6 dhcp duid DHCPv6 Unique Identifier (DUID): 0001-0001-4A8158B4-00E00C0000FD Console# show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface(s). SYNTAX show ipv6 dhcp vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
40 IP INTERFACE COMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 40 | IP Interface Commands IPv4 Interface BASIC IPV4 This section describes commands used to configure IP addresses for VLAN CONFIGURATION interfaces on the switch.
CHAPTER 40 | IP Interface Commands IPv4 Interface ◆ If bootp or dhcp options are selected, the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP. IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast periodically by the router in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
CHAPTER 40 | IP Interface Commands IPv4 Interface EXAMPLE The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# RELATED COMMANDS ip address (962)ipv6 default-gateway (971) show ip This command shows the IPv4 default gateway configured for this device. default-gateway DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show ip redirects ip default gateway 10.1.0.
CHAPTER 40 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
CHAPTER 40 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. SYNTAX traceroute host host - IP address or alias of the host. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the traceroute command to determine the path taken to reach a specified destination.
CHAPTER 40 | IP Interface Commands IPv4 Interface EXAMPLE Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.1, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 20 ms <10 ms <10 ms 192.168.0.1 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. SYNTAX ping host [count count] [size size] host - IP address or alias of the host.
CHAPTER 40 | IP Interface Commands IPv4 Interface If necessary, local devices can also be specified in the DNS static host table (page 948). EXAMPLE Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.
CHAPTER 40 | IP Interface Commands IPv4 Interface COMMAND USAGE ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the switch may tie up resources by repeating ARP requests for addresses recently flushed from the table. EXAMPLE This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds).
CHAPTER 40 | IP Interface Commands IPv6 Interface EXAMPLE This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.254 10.1.0.255 145.30.20.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities Table 145: IPv6 Configuration Commands (Continued) Command Function Mode clear ipv6 neighbors Deletes all dynamic entries in the IPv6 neighbor discovery cache PE show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Neighbor Discovery Interface Address Configuration and Utilities ipv6 This command sets an IPv6 default gateway to use when the destination is default-gateway located in a diff
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities EXAMPLE The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780 Console(config)# RELATED COMMANDS show ipv6 default-gateway (979) ip default-gateway (963) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities EXAMPLE This example specifies a full IPv6 address and prefix length.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities ◆ If a duplicate address is detected, a warning message is sent to the console. ◆ When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration. If the router advertisements have the “other stateful configuration” flag set, the switch may also attempt to acquire other non-address configuration information (such as a default gateway) when DHCPv6 is restarted.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities DEFAULT SETTING No IPv6 addresses are defined COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities EXAMPLE This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities ◆ The address specified with this command replaces a link-local address that was automatically generated for the interface. ◆ You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. ◆ If a duplicate address is detected, a warning message is sent to the console. EXAMPLE This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities COMMAND USAGE ◆ This command enables IPv6 on the current VLAN interface and automatically generates a link-local unicast address. The address prefix uses FE80, and the host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 974). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities DEFAULT SETTING 1500 bytes COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented. ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. SYNTAX show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4093) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities Table 146: show ipv6 interface - display description (Continued) Field Description Link-local address Shows the link-local address assigned to this interface Global unicast address(es) Shows the global unicast address(es) assigned to this interface Joined group address(es) In addition to the unicast addresses assigned to an interface, a host is also required to listen to all-nodes multicast addresses FF01::1 (interface-
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities EXAMPLE The following example shows the MTU cache for this device: Console#show ipv6 mtu MTU Since Destination Address 1400 00:04:21 5000:1::3 1280 00:04:50 FE80::203:A0FF:FED6:141D Console# Table 147: show ipv6 mtu - display description* Field Description MTU Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities 0 0 0 0 neighbor advertisement messages redirect messages group membership response messages group membership reduction messages 0 0 0 0 input no port errors other errors output UDP Statistics: Console# Table 149: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 recived total received The total number of input datagrams received by the interface, including those received in error.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities Table 149: show ipv6 traffic - display description (Continued) Field Description reassembly failed The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities Table 149: show ipv6 traffic - display description (Continued) Field Description redirect messages The number of Redirect messages received by the interface. group membership query messages The number of ICMPv6 Group Membership Query messages received by the interface. group membership response messages The number of ICMPv6 Group Membership Response messages received by the interface.
CHAPTER 40 | IP Interface Commands Interface Address Configuration and Utilities Table 149: show ipv6 traffic - display description (Continued) Field Description other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. output The total number of UDP datagrams sent from this entity. clear ipv6 traffic This command resets IPv6 traffic counters.
CHAPTER 40 | IP Interface Commands Neighbor Discovery COMMAND USAGE ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
CHAPTER 40 | IP Interface Commands Neighbor Discovery show ipv6 This command displays information in the IPv6 neighbor discovery cache. neighbors SYNTAX show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4093) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 40 | IP Interface Commands Neighbor Discovery Table 150: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: INCMP (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
SECTION IV APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 993 ◆ "Troubleshooting" on page 997 ◆ "License Information" on page 999 – 991 –
SECTION IV | Appendices – 992 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port AUTHENTICATION Security, IP Filter, DHCP Snooping CLIENT ACCESS Access Control Lists (512 rules), Port Authentication (802.
APPENDIX A | Software Specifications Management Features VLAN SUPPORT Up to 256 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Standards STANDARDS IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.
APPENDIX A | Software Specifications Management Information Bases Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 151: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered up. ◆ Check network cabling between the management station and the switch. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
APPENDIX C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
GLOSSARY IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
GLOSSARY LLDP Link Layer Discovery Protocol is used to discover basic information about neighboring devices in the local broadcast domain by using periodic broadcasts to advertise information such as device identification, capabilities and configuration settings. MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken.
GLOSSARY PORT AUTHENTICATION See IEEE 802.1X. PORT MIRRORING A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. PORT TRUNK Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lowerspeed physical links.
GLOSSARY SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch.
GLOSSARY VLAN Virtual LAN. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XMODEM A protocol used to transfer files between devices. Data is grouped in 128byte blocks and error-corrected.
COMMAND LIST aaa accounting commands 621 aaa accounting dot1x 622 aaa accounting exec 623 aaa accounting update 624 aaa authorization exec 625 aaa group server 626 absolute 573 access-list arp 723 access-list ip 712 access-list mac 719 accounting dot1x 627 accounting exec 627 alias 731 arp timeout 968 authentication enable 612 authentication login 613 authorization exec 628 auto-traffic-control 777 auto-traffic-control action 778 auto-traffic-control alarm-clearthreshold 779 auto-traffic-control alarm-fire
COMMAND LIST ip ip ip ip ip ip ip ip ip ip ip arp inspection limit 704 arp inspection log-buffer logs 702 arp inspection trust 705 arp inspection validate 703 arp inspection vlan 703 default-gateway 963 dhcp client class-id 955 dhcp restart client 956 dhcp snooping 686 dhcp snooping database flash 692 dhcp snooping information option 688 ip dhcp snooping information policy 689 ip dhcp snooping trust 691 ip dhcp snooping verify mac-address 689 ip dhcp snooping vlan 690 ip domain-list 945 ip domain-lookup 9
COMMAND LIST lldp med-tlv location 937 lldp med-tlv med-cap 937 lldp med-tlv network-policy 938 lldp notification 938 lldp notification-interval 924 lldp refresh-interval 925 lldp reinit-delay 925 lldp tx-delay 926 logging facility 555 logging history 556 logging host 557 logging on 557 logging sendmail 561 logging sendmail destination-email 563 logging sendmail host 562 logging sendmail level 563 logging sendmail source-email 564 logging trap 558 login 547 mac access-group 722 mac-address-table aging-time
COMMAND LIST show access-list tcam-utilization 527 show accounting 628 show arp 969 show arp access-list 725 show auto-traffic-control 786 show auto-traffic-control interface 786 show bridge-ext 825 show cable-diagnostics 746 show calendar 571 show class-map 885 show cluster 579 show cluster candidates 580 show cluster members 580 show dns 951 show dns cache 952 show dot1q-tunnel 840 show dot1x 657 show garp timer 825 show gvrp configuration 826 show history 520 show hosts 952 show interfaces brief 739 sho
COMMAND LIST show system 530 show tacacs-server 620 show tech-support 531 show time-range 575 show traffic-segmentation 841 show upgrade 543 show users 531 show version 532 show vlan 835 show voice vlan 855 show web-auth 684 show web-auth interface 684 show web-auth summary 685 shutdown 736 silent-time 550 snmp-server 582 snmp-server community 583 snmp-server contact 583 snmp-server enable port-traps atc broadcast-alarm-clear 782 snmp-server enable port-traps atc broadcast-alarm-fire 782 snmp-server enable
COMMAND LIST web-auth session-timeout 681 web-auth system-auth-control 682 – 1016 – whichboot 540
INDEX ARP NUMERICS 802.1Q tunnel 179, 836 access 184, 838 configuration, guidelines 182, 837 configuration, limitations 182, 837 description 179 ethernet type 183, 839 interface configuration 184, 838–839 mode selection 184, 838 status, configuring 183, 837 TPID 183, 839 uplink 184, 838 802.1X authenticator, configuring 345, 647–653 global settings 344, 646–647 port authentication 342, 645, 647 port authentication accounting 283, 284, 627 supplicant, configuring 349, 654–657 A AAA accounting 802.
INDEX C cable diagnostics 142, 745 canonical format indicator 250 class map description 871 DiffServ 254, 870 Class of Service See CoS CLI command modes 510 showing commands 508 clustering switches, management access 430, 576 command line interface See CLI committed burst size, QoS policy 261, 262, 263, 875, 877, 879 committed information rate, QoS policy 261, 262, 263, 875, 877, 879 community string 73, 410, 583 configuration file, DHCP download reference 71 configuration files, restoring defaults 102, 53
INDEX DSCP 245, 866 enabling 246, 866 mapping to internal values 247, 864 DSCP ingress map, drop precedence 248, 864 DSCP to PHB/drop precedence 248, 864 dynamic addresses clearing 199, 791 displaying 198, 791 Dynamic Host Configuration Protocol See DHCP dynamic QoS assignment 297, 301, 669 dynamic VLAN assignment 297, 301, 670 E edge port, STA 216, 218, 809 encryption DSA 313, 315, 641 RSA 313, 315, 641 engine ID 400, 401, 589 event logging 369, 555 excess burst size, QoS policy 262, 877, 879 exec comman
INDEX importing user public keys 315, 536 ingress filtering 173, 832 IP address BOOTP/DHCP 443, 956 setting 439, 961 IP filter, for management access 338, 660 IP source guard configuring static entries 356, 694 setting filter criteria 354, 696 setting maximum bindings 355, 697 IP statistics 965 IPv4 address BOOTP/DHCP 443, 962 dynamic configuration 68 manual configuration 65 setting 65, 443, 962 IPv6 displaying neighbors 454, 989 duplicate address detection 448, 454, 989 enabling 447, 977 MTU 447, 978 stat
INDEX reauthentication 299, 668 MAC address, mirroring 200, 761 main menu, web interface 84 management access, filtering per address 338, 660 management access, IP filter 338, 660 Management Information Bases (MIBs) 995 matching class settings, classifying QoS traffic 255, 872 media-type 128 memory status 121, 527 utilization, showing 121, 527 mirror port configuring 132, 761 configuring local traffic 132, 761 configuring remote traffic 134, 764 mirror trunk configuring 158, 761 configuring local traffic 1
INDEX port priority 396 power savings configuring 159, 747 enabling per port 159, 747 priority, default port ingress 239, 860 private key 309, 635 problems, troubleshooting 997 protocol migration 216, 817 protocol VLANs 185, 842 configuring 186, 842 configuring groups 186, 843 configuring interfaces 187, 843 group configuration 186, 843 interface configuration 187, 843 proxy query address, IGMP snooping 486, 900 proxy query interval, IGMP snooping 485, 901 proxy query response interval, IGMP snooping 485,
INDEX downloading 102, 536 version, displaying 98, 532 Spanning Tree Protocol See STA specifications, software 993 srTCM police meter 262, 877 QoS policy 258, 877 SSH 309, 635 authentication retries 312, 638 configuring 309, 636 downloading public keys for clients 315, 536 generating host key pair 313, 641 server, configuring 312, 638 timeout 312, 640 SSL, replacing certificate 308 STA 203, 795 BPDU filter 216, 806 BPDU shutdown 216, 807 cisco-prestandard, setting compatibility 797 detecting loopbacks 206,
INDEX V VLAN trunking 163, 834 VLANs 167–193, 821–855 802.
ECS3510-26P E022019-CS-R02 149100000220A
