3RUW &RPER 6)3 6ORWV *LJDELW (WKHUQHW 0XOWL /D\HU 0DQDJHPHQW 6ZLWFK 0,/ 60 7* 8VHU 0DQXDO
Regulatory Approval - FCC Class A - UL 60950 - CSA C22.2 No. 60950 - EN60950-1 4 - CE - EN55022 Class A - EN55024 Canadian EMI Notice This Class A digital apparatus meets all the requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel brouilleur du Canada.
You can reach MiLAN Technology technical support at: E-mail: support@milan.com Telephone: +1.408.744.2751 Fax: +1.408.744.2771 MiLAN Technology 1329 Moffett Park Drive Sunnyvale, CA 94089 United States of America Telephone: +1.408.744.2775 Fax: +1.408.744.2793 http://www.milan.com info@milan.com © Copyright 2005 MiLAN Technology P/N: 90000441 REV.
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-5 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings Trap Receivers Saving Configuration Settings Managing System Files 2-1 2-1 2-1 2-2 2-3 2-3 2-3 2-4 2-4 2-4
Contents System Log Configuration Remote Log Configuration Displaying Log Messages Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Setting Community Access Strings Specifying Trap Managers and Trap Types User Authentication Configuring the Logon Password Configuring Local/Remote Logon Authentication Configuring HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell G
Contents Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Showing Port Statistics Address Table Settings Setting Static Addresses Displaying the Address Table Changing the Aging Time Spanning Tree Algorithm Configuration Displaying Global Settings Configuring Global Settings Displaying Interface Settings Configuring Interface Settings Configuring Multiple Spanni
Contents Mapping CoS Values to ACLs Changing Priorities Based on ACL Rules Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for a Multicast Router Displaying Port Members of Multicast Services Assigning Ports to Multicast Services Configuring Domain Name Service Configuring General DNS Server Parameters Configuring Static DNS Host to Address Entries Displaying the DNS Cache C
Contents disconnect show line General Commands enable disable configure show history reload end exit quit System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet port ip telnet server Secure Shell Commands ip ssh server ip ssh timeout ip ssh authentication-retries ip ssh server-key
Contents logging facility logging trap clear logging show logging SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame Flash/File Commands copy delete dir whichboot
Contents TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-server Port Security Commands port security 802.
Contents show map access-list mac match access-list mac ACL Information show access-list show access-group SNMP Commands snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps show snmp DNS Commands ip host clear host ip domain-name ip domain-list ip name-server ip domain-lookup show hosts show dns show dns cache clear dns cache Interface Commands interface description speed-duplex negotiation capabilities flowcontrol combo-forced-mode shutdown switchport br
Contents lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time Spanning Tree Commands spanning-tree spanning-tree mode spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit spann
Contents switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring Private VLANs pvlan show pvlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configurati
Contents show ip igmp snooping show mac-address-table multicast IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IP Interface Commands ip address ip dhcp restart ip default-gateway show ip interface show ip redirects ping 4-205 4-206 4-207 4-207 4-207 4-208 4-209 4-20
Contents xiv
Tables Table 1-1. Table 1-2.
Tables Table 4-27 Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-51 Table 4-50 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table B-1 xvi Authen
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Home Pag
Figures Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84
Figures Figure 3-88 Figure 3-89 Figure 3-90 DNS General Configuration DNS Static Host Table DNS Cache 3-148 3-150 3-151 xix
Figures xx
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. Key Features Table 1-1.
1 Introduction Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Description of Software Features 1 Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity. Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP).
1 Introduction Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). Virtual LANs – The switch supports up to 255 VLANs.
System Defaults 1 System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-18). The following table lists some of the basic system defaults. Table 1-2.
1 Introduction Table 1-2.
System Defaults 1 Table 1-2. System Defaults Function Parameter Default IP Settings IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
1 1-8 Introduction
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
2 Initial Configuration • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.
Basic Configuration 2 To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) 2. To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press .
2 2. Initial Configuration Enter the name of the start-up file. Press . Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Console# Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Navigating the Web Browser Interface 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the “Apply” button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Web Page Configuration Buttons Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu 802.
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Address Table Static Addresses Page 3-88 Displays entries for interface, address or VLAN 3-88 Dynamic Addresses Displays or edits static entries in the Address Table 3-89 Address Aging Sets timeout for dynamically learned entries 3-91 Spanning Tree 3-91 STA 3-91 Information Displays STA values used for the bridge Configuration Configures global bridge settings for STA, RSTP and MSTP Port Information Displ
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu Description Protocol VLAN Page 3-124 Configuration Creates a protocol group, specifying the supported protocols Port Configuration Maps a protocol group to a VLAN Priority 3-124 3-124 3-126 Default Port Priority Sets the default priority for each port 3-126 Default Trunk Priority Sets the default priority for each trunk 3-126 Traffic Classes Maps IEEE 802.
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description DNS General Configuration Page 3-146 Enables DNS; configures domain name and domain list; and specifies IP address of name servers for dynamic lookup 3-147 Static Host Table Configures static entries for domain name to address mapping 3-149 Cache Displays cache entries discovered by designated name servers 3-151 3-8
Basic Configuration 3 Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location. Contact – Administrator responsible for the system. System Up Time – Length of time the management agent has been up.
3 Configuring the Switch CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-25 Console(config)#snmp-server location WC 9 4-113 Console(config)#snmp-server contact Ted 4-113 Console(config)#exit Console#show system 4-60 System description: 24-Port 10/100/1000 ports + 4 Gigabit SFP Combo ports L2+ Management Switch System OID string: 1.3.6.1.4.1.835.6.10.51 System information System Up time: 0 days, 2 hours, 4 minutes, and 7.
Basic Configuration 3 Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version Unit1 Serial number Hardware version Number of ports Main power status Redundant power status Agent(master) Unit id Loader version Boot rom version Operation code version Console# 4-61 :A329025054 :R01 :24 :up :not present :1 :2.2.0.1 :2.1.0.4 :1.2.0.
3 Configuring the Switch • Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-111.) • Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs. • GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups.
Basic Configuration 3 Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your network.
3 Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 IP Interface Configuration - Manual CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.54 255.255.255.
3 Basic Configuration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Configuring the Switch CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart Console# 4-211 Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version. Command Attributes • TFTP Server IP Address – The IP address of a TFTP server.
Basic Configuration 3 If you download to a new destination file, then select the file from the drop-down box for the operation code used at startup, and click Apply Changes. To start the new firmware, reboot the system via the System/Reset menu. Figure 3-9 Setting the Startup Code CLI – Enter the IP address of the TFTP server, select “config” or “opcode” file type, then enter the source and destination file names, set the new file to start up the system, and then restart the switch.
3 Configuring the Switch Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File, Configuration.
Basic Configuration 3 If you download the startup configuration file under a new file name, you can set this file as the startup file at a later time, and then restart the switch.
3 Configuring the Switch • RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply.
Basic Configuration 3 Command Attributes • Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process. (Default: Disabled) • Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service. The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.
3 Configuring the Switch CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.9 Console(config)#logging facility 23 Console(config)#logging trap 4 Console(config)#logging trap Console(config)#exit Console#show logging trap Syslog logging: Enable REMOTELOG status: enable REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 10.1.0.9 REMOTELOG server ip address: 0.0.0.
3 Basic Configuration CLI – This example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “debugging” (i.e., default level 7 - 0), and lists one sample error. Console#show logging flash Syslog logging: Enable History logging in FLASH: level emergencies [4] 13:20:06 03/02/2004 "VLAN 1 link-up notification." level: 6, module: 6, function: 1, and event [3] 13:20:06 03/02/2004 "STP topology change notification.
3 Configuring the Switch Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. To delete an IP address, click the entry in the SMTP Server List and click Remove. Specify up to five email addresses to receive the alert messages, and click Apply.
3 Basic Configuration CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
3 Configuring the Switch Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 4-55.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
3 Basic Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 16 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 16 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.
3 Configuring the Switch CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC Console(config)# 4-55 Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
3 Simple Network Management Protocol Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-19 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access.
3 Configuring the Switch Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive these messages, specify the SNMP version, mark the trap types required, and then click Add. Figure 3-20 Configuring SNMP Trap Managers CLI – This example adds a trap manager and enables both authentication and link-up, link-down traps. Console(config)#snmp-server host 192.168.1.
User Authentication 3 Command Attributes • User Name* – The name of the user. (Maximum length: 8 characters) • Access Level* – Specifies the user level. (Options: Normal and Privileged) • Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive) * CLI only. Web – Click Security, Passwords. To change the password for the current user, enter the old password, the new password, confirm it by entering it again, then click Apply.
3 Configuring the Switch RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. Command Usage • By default, management access is always checked against the authentication database stored on the local switch.
User Authentication 3 Note: The local switch user database has to be set up by manually entering user names and passwords using the CLI. (See “username” on page 4-26.) Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.
3 Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server host 192.168.1.25 Console(config)#radius-server port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#end Console#show radius-server Remote radius server configuration: Server IP address: 192.168.1.
User Authentication 3 • The following web browsers and operating systems currently support HTTPS: Table 3-4 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 • To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 3-35.
3 Configuring the Switch Note: For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.
3 User Authentication To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
3 Configuring the Switch e. The switch compares the decrypted bytes to the original bytes it sent. If the two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated. Notes: 1. To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys. 2.
User Authentication 3 Web – Click Security, SSH Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-23 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
3 Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
User Authentication 3 CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server Console(config)#ip ssh timeout 100 Console(config)#ip ssh authentication-retries 5 Console(config)#ip ssh server-key size 512 Console(config)#end Console#show ip ssh SSH Enabled - version 2.
3 Configuring the Switch • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-67). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-124). • Action – Indicates the action to be taken when a port security violation is detected: - None: No action should be taken. (This is the default.) - Trap: Send an SNMP trap message. - Shutdown: Disable the port.
3 User Authentication CLI – This example selects the target port, sets the port security action to send a trap and disable the port, specifies a maximum address count, and then enables port security for the port. Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap-and-shutdown Console(config-if)#port security max-mac-count 20 Console(config-if)#port security Console(config-if)# 4-76 Configuring 802.
3 Configuring the Switch The operation of 802.1X on the switch requires the following: • The switch must have an IP address assigned. • RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. • 802.1X must be enabled globally for the switch. • Each switch port that will be used must be set to dot1x “Auto” mode. • Each client that needs to be authenticated must have dot1x client software installed and properly configured. • The RADIUS server and 802.
User Authentication 3 Web – Click Security, 802.1X, Information. Figure 3-26 802.1X Information CLI – This example shows the default protocol settings for 802.1X. For a description of the additional entries displayed in the CLI, See “show dot1x” on page 4-84. Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period: 3600 quiet-period: 60 tx-period: 30 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2 802.1X Port Port Name 1/1 1/2 . . .
3 Configuring the Switch 802.1X is enabled on port 1/24 Status Authorized Operation mode Single-Host Max count 5 Port-control Auto Supplicant 00-00-e8-49-5e-dc Current Identifier 3 Authenticator State Machine State Authenticated Reauth Count 0 Backend State Machine State Idle Request Count 0 Identifier(Server) 2 Reauthentication State Machine State Initialize Console# Configuring 802.
User Authentication 3 Web – Select Security, 802.1X, Configuration. Enable dot1x globally for the switch, modify any of the parameters required, and then click Apply. Figure 3-27 802.1X Configuration CLI – This enables re-authentication and sets all of the global parameters for 802.1X.
3 Configuring the Switch • Authorized – - Yes – Connected client is authorized. - No – Connected client is not authorized. - Blank – Displays nothing when dot1x is disabled on a port. • Supplicant – Indicates the MAC address of a connected client. • Trunk – Indicates if the port is configured as a trunk port. Web – Click Security, 802.1X, Port Configuration. Select the authentication mode from the drop-down box and click Apply. Figure 3-28 802.
3 User Authentication Table 3-5 802.1X Statistics (Continued) Parameter Description Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator. Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid. Rx Last EAPOLVer The protocol version number carried in the most recently received EAPOL frame.
3 Configuring the Switch CLI – This example displays the 802.1X statistics for port 4.
User Authentication 3 Web – Click Security, IP Filter. Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 3-30 IP Filter CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.
3 Configuring the Switch Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
3 Access Control Lists Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based on the source IP address. - Extended: IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number.
3 Configuring the Switch with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 3-32 ACL Configuration - Standard IP CLI – This example configures one permit rule for the specific address 10.1.1.
Access Control Lists 3 • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Src/Dst Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Src/Dst Port Bitmask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
Access Control Lists 3 Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • Source/Destination MAC – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
Access Control Lists 3 Configuring ACL Masks You can specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be bound exclusively to one of the basic ACL types (i.e.
3 Configuring the Switch Configuring an IP ACL Mask This mask defines the fields to check in the IP header. Command Usage • Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes. Command Attributes • Src/Dst IP – Specifies the source or destination IP address. Use “Any” to match any address, “Host” to specify a host address (not a subnet), or “IP” to specify a range of addresses.
Access Control Lists 3 Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add.
3 Configuring the Switch Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes • Source/Destination MAC – Use “Any” to match any address, “Host” to specify the host address for a single node, or “MAC” to specify a range of addresses. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Bitmask – Address of rule must match this bitmask.
Access Control Lists 3 CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
3 Configuring the Switch Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply. Figure 3-38 ACL Port Binding CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.
Port Configuration 3 • Forced Mode1 – Shows the forced/preferred port type to use for combination ports 21-24. (Copper-Forced, Copper-Preferred-Auto, SFP-Forced, SFP-Preferred-Auto) • Trunk Member1 – Shows if port is a trunk member. • Creation2 – Shows if a trunk is manually configured or dynamically set via LACP. Web – Click Port, Port Information or Trunk Information. Figure 3-39 Port - Port Information Field Attributes (CLI) Basic information: • Port type – Indicates the port type.
3 Configuring the Switch • Broadcast storm – Shows if broadcast storm control is enabled or disabled. • Broadcast storm limit – Shows the broadcast storm threshold. (500 - 262143 packets per second) • Flow control – Shows if flow control is enabled or disabled. • LACP – Shows if LACP is enabled or disabled. • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address that can be learned by a port.
Port Configuration 3 Configuring Interface Connections You can use the Port Configuration or Trunk Configuration page to enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g.
3 Configuring the Switch • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-69. Note: Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex Mode or Flow Control options. Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply.
Port Configuration 3 Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two switches. You can create up to six trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
3 Configuring the Switch Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration 3 CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Configuring the Switch Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-42 LACP Trunk Configuration CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
Port Configuration 3 Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
3 Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Port Configuration 3 CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 4-123 Console(config-if)#lacp actor system-priority 3 4-140 Console(config-if)#lacp actor admin-key 120 4-141 Console(config-if)#lacp actor port-priority 128 4-142 Console(config-if)#exit . . .
3 Configuring the Switch Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-6 LACP Port Counters Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
Port Configuration 3 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-7 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information.
3 Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-45 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Port Configuration 3 Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-8 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
3 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
3 Port Configuration Web – Click Port, Port/Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold and click Apply. Figure 3-47 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
3 Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
Port Configuration 3 Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic coming out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
3 Configuring the Switch Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
3 Port Configuration Table 3-9 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. Transmit Errors The number of outbound packets that could not be transmitted because of errors.
3 Configuring the Switch Table 3-9 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Port Configuration 3 Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
3 Configuring the Switch CLI – This example shows statistics for port 13.
3 Address Table Settings • VLAN – ID of configured VLAN (1-4094). Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Then set this as a permanent address or to be deleted on reset. Figure 3-51 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
3 Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-52 Dynamic Addresses CLI – This example also displays the address table entries for port 1.
Spanning Tree Algorithm Configuration 3 Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables or disables the aging time. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-53 Address Aging CLI – This example sets the aging time to 400 seconds.
3 Configuring the Switch Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Spanning Tree Algorithm Configuration 3 • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. • Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
3 • • • • • Configuring the Switch information that would make it return to a discarding state; otherwise, temporary data loops might result. Root Hold Time – The interval (in seconds) during which no more than two bridge configuration protocol data units shall be transmitted by this node. Max hops – The max number of hop counts for the MST region. Remaining hops – The remaining number of hop counts for the MST instance.
Spanning Tree Algorithm Configuration 3 CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
3 Configuring the Switch Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol6 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Spanning Tree Algorithm Configuration 3 • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
3 Configuring the Switch • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Spanning Tree Algorithm Configuration 3 Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
3 Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
Spanning Tree Algorithm Configuration 3 • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-103. • Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3-103 (i.e.
3 Configuring the Switch • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops.
3 Spanning Tree Algorithm Configuration CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status : enable Role : disable State : discarding External path cost : 10000 Internal path cost : 10000 Priority : 128 Designated cost : 200000 Designated port : 128.5 Designated root : 61440.0.0000E9313131 Designated bridge : 61440.0.
3 Configuring the Switch Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
3 Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-57 STA Port Configuration CLI – This example sets STA attributes for port 7.
3 Configuring the Switch Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440; Default: 32768) • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure.
Spanning Tree Algorithm Configuration 3 CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :1 Vlans configuration :1-5 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
3 Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes • MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,” page 3-100. Web – Click Spanning Tree, MSTP, Port Information or Trunk Information.
Spanning Tree Algorithm Configuration 3 --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status : enable Role : root State : forwarding External path cost : 100000 Internal path cost : 100000 Priority : 128 Designated cost : 200000 Designated port : 128.24 Designated root : 32768.0.0000ABCD0000 Designated bridge : 32768.0.
3 Configuring the Switch • MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
3 VLAN Configuration VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
3 Configuring the Switch Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways.
3 VLAN Configuration these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
3 Configuring the Switch Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.
VLAN Configuration 3 CLI – Enter the following command.
3 Configuring the Switch Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members.
3 VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-64 VLAN Static List - Creating VLANs CLI – This example creates a new VLAN.
3 Configuring the Switch • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN. All packets transmitted by the port will be tagged, that is, carry a tag and therefore carry VLAN or CoS information. - Untagged: Interface is a member of the VLAN.
3 VLAN Configuration Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership. Select an interface from the scroll-down box (Port or Trunk).
3 Configuring the Switch values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GVRP registration/deregistration. Command Attributes • PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) - If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN, the interface will automatically be added to VLAN 1 as an untagged member.
VLAN Configuration 3 • Mode – Indicates VLAN membership mode for an interface. (Default: 1Q Trunk) - 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. - Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
3 Configuring the Switch Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.
3 VLAN Configuration Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
3 Configuring the Switch Configuring Protocol Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option for the LLC_other frame type is IPX_raw. The options for all other frames types include: IP, ARP, RARP. Web – Click VLAN, Protocol VLAN, Configuration.
3 VLAN Configuration - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Command Attributes • Interface – Port or trunk identifier. • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • VLAN ID – VLAN to which matching protocol traffic is forwarded.
3 Configuring the Switch Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Class of Service Configuration 3 Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-72 Default Port Priority CLI – This example assigns a default priority of 5 to port 3.
3 Configuring the Switch Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
Class of Service Configuration 3 Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-73 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
3 Configuring the Switch • Strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues. Web – Click Priority, Queue Mode. Select Strict or WRR, then click Apply. Figure 3-74 Queue Mode CLI – The following sets the queue mode to strict priority service mode.
Class of Service Configuration 3 Web – Click Priority, Queue Scheduling. Select the interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-75 Queue Scheduling CLI – The following example shows how to assign WRR weights to each of the priority queues.
3 Configuring the Switch Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
Class of Service Configuration 3 Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
3 Configuring the Switch CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
Class of Service Configuration 3 Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-78 IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
3 Configuring the Switch Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes • IP Port Priority Status – Enables or disables the IP port priority. (Default: Disabled) • Interface – Selects the port or trunk interface to which the settings apply.
Class of Service Configuration 3 CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays the IP Port Priority settings for that port. Console(config)#map ip port Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)#end Console#show map ip port ethernet 1/5 TCP port mapping status: Enabled 4-194 4-195 4-198 Port Port no.
3 Configuring the Switch Web – Click Priority, ACL CoS Priority. Enable mapping for any port, select an ACL from the scroll-down list, then click Apply. Figure 3-81 ACL CoS Priority CLI – This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 24.
Class of Service Configuration 3 Command Attributes • Port – Port identifier. • • • • • Name14 – Name of ACL. Type – Type of ACL (IP or MAC). Precedence – IP Precedence value. (Range: 0-7) DSCP – Differentiated Services Code Point value. (Range: 0-63) 802.1p Priority – Class of Service value in the IEEE 802.1p priority tag. (Range: 0-7; 7 is the highest priority) Web – Click Priority, ACL Marker. Select a port and an ACL rule.
3 Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Multicast Filtering 3 Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
3 Configuring the Switch Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-83 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Multicast Filtering 3 Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
3 Configuring the Switch Command Attributes • Interface – Activates the Port or Trunk scroll down list. • VLAN ID – Selects the VLAN to propagate all multicast traffic coming from the attached multicast router. • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add.
3 Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-86 IP Multicast Registration Table CLI – This example displays all the known multicast services supported on VLAN 1, along with the ports propagating the corresponding services.
3 Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Configuring Domain Name Service 3 Configuring General DNS Server Parameters Command Usage • To enable DNS service on this switch, first configure one or more name servers, and then enable domain lookup status. • To append domain names to incomplete host names received from a DNS client (i.e., not formatted with dotted notation), you can specify a default domain name or a list of domain names to be tried in sequential order. • If there is no domain list, the default domain name is used.
3 Configuring the Switch Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-88 DNS General Configuration CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.
3 Configuring Domain Name Service Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. • Servers or other network devices may support one or more connections via multiple IP addresses.
3 Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-89 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.
Configuring Domain Name Service 3 Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable.
3 Configuring the Switch CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 ALIAS 6 4 CNAME 7 4 ALIAS 8 4 CNAME 9 4 ALIAS 10 4 CNAME Console# 3-152 IP 207.46.134.222 207.46.134.190 207.46.134.155 207.46.249.222 207.46.249.27 POINTER TO:4 207.46.68.27 POINTER TO:6 65.54.131.192 POINTER TO:8 165.193.72.190 TTL 51 51 51 51 51 51 71964 71964 605 605 87 4-123 DOMAIN www.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Entering Commands 4 Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
4 Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 4 Username: guest Password: [guest login password] CLI session with the MIL-SM24004TG 24-Port 10/100/1000 ports + 4 Gigabit SFP Combo ports L2+ Management Switch is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
4 Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Entering Commands 4 Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
4 Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below.
4 Line Commands The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) PE (Privileged Exec) GC (Global Configuration) ACL (Access Control List Configuration) IC (Interface Configuration) LC (Line Configuration) VC (VLAN Database Configuration) MST (Multiple Spanning Tree) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
4 Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users.
4 Line Commands Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
4 Command Line Interface number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Line Commands 4 password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
4 Command Line Interface Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (4-15) databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character.
Line Commands 4 parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
4 Command Line Interface Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
Line Commands 4 Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (4-41) show users (4-61) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet).
4 Command Line Interface General Commands Table 4-6 General Commands Command Function Mode Page enable Activates privileged mode NE disable Returns to normal mode from privileged mode PE 4-21 configure Activates global configuration mode PE 4-21 show history Shows the command history buffer NE, PE 4-22 4-20 reload Restarts the system PE 4-22 end Returns to Privileged Exec mode any config.
4 General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (4-21) enable password (4-27) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 4-6.
4 Command Line Interface Related Commands end (4-23) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
General Commands 4 Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue ? y end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
4 Command Line Interface quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
4 System Management Commands Device Designation Commands Table 4-8 Device Designation Commands Command Function Mode prompt Customizes the prompt used in PE and NE mode GC Page 4-25 hostname Specifies the host name for the switch GC 4-25 snmp-server contact Sets the system contact string GC 4-113 snmp-server location Sets the system location string GC 4-113 prompt This command customizes the CLI prompt. Use the no form to restore the default prompt.
4 Command Line Interface Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-11), user authentication via a remote authentication server (page 4-68), and host access authentication for specific ports (page 4-78).
System Management Commands 4 Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how the set the access level and password for a user.
4 Command Line Interface Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (4-20) IP Filter Commands Table 4-11 IP Filter Commands Command Function management Configures IP addresses that are allowed management access GC Mode Page 4-28 show management Displays the switch to be monitored or configured from a browser 4-29 PE management This command specifies the client IP addresses that are allowed management access to the switch through various pr
System Management Commands 4 • When entering addresses for the same group (i.e., SNMP, Web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address.
4 Command Line Interface Web Server Commands Table 4-12 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the Web browser interface GC Page 4-30 ip http server Allows the switch to be monitored or configured from a browser GC 4-30 ip http secure-server Enables HTTPS/SSL for encrypted communications GC 4-31 ip http secure-port Specifies the UDP port number for HTTPS/SSL GC 4-32 ip http port This command specifies the TCP port number used by the Web br
System Management Commands 4 Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-30) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s Web interface. Use the no form to disable this function.
4 Command Line Interface Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-32) copy tftp https-certificate (4-63) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s Web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS/SSL.
System Management Commands 4 Telnet Server Commands Table 4-14 Telnet Server Commands Command Function Mode ip telnet port Specifies the port to be used by the Telnet interface GC Page 4-30 ip telnet server Allows the switch to be monitored or configured from Telnet GC 4-30 ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
4 Command Line Interface Related Commands ip telnet port (4-33) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
System Management Commands 4 The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-69.
4 Command Line Interface corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: a. b. c. d. e. The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
System Management Commands 4 ip ssh timeout Use this command to configure the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
4 Command Line Interface Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-40) ip ssh server-key size Use this command to set the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
System Management Commands 4 Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
4 Command Line Interface Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
System Management Commands 4 Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh Use this command to display the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
4 Command Line Interface show public-key Use this command to show the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
System Management Commands 4 Event Logging Commands Table 4-17 Event Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 4-43 logging history Limits syslog messages saved to switch memory based on severity GC 4-44 logging host Adds a syslog server host IP address that will receive logging messages GC 4-45 logging facility Sets the facility type for remote logging of syslog messages GC 4-45 logging trap Limits syslog messages saved to a remote se
4 Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
4 System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the level arguments listed below. Messages sent include the selected level up through level 0. (Refer to the table on page 4-44.
4 System Management Commands Related Commands show logging (4-47) show logging This command displays the logging configuration, along with any system and event messages stored in memory. Syntax show logging {flash | ram | sendmail | trap} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • sendmail - Displays settings for the SMTP event handler (page 4-51).
4 Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
4 System Management Commands logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip_address ip_address - IP address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server.
4 Command Line Interface Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail source-email This command sets the email address used for the “From” field in alert messages.
4 System Management Commands Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
4 Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP), or by using information broadcast by local time servers.
System Management Commands 4 Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Jul 10 02:52:44 2003 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 137.92.140.80 0.0.0.0 0.0.0.0 Current server: 137.92.140.
4 Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global Configuration Command Usage This command is only applicable when the switch is set to SNTP client mode.
4 System Management Commands clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • • • • • name - Name of timezone, usually an acronym. (Range: 1-29 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, February 1st, 2004. Console#calendar set 15 12 34 1 February 2004 Console# show calendar This command displays the system clock.
System Management Commands 4 System Status Commands Table 4-23 System Status Commands Command Function Mode show startup-config Displays the contents of the configuration file (stored in flash memory) that is used to start up the system PE Page 4-57 show running-config Displays the configuration data currently in use PE 4-58 show system Displays system information NE, PE 4-60 show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet c
4 Command Line Interface Example Console#show startup-config building startup-config, please wait.....
System Management Commands - 4 VLAN configuration settings for each interface Multiple spanning tree instances (name and interfaces) IP address configured for VLANs Spanning tree settings Any configured settings for the console port and Telnet Example Console#show running-config building running-config, please wait..... ! phymap 00-00-a3-42-00-80 ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
4 Command Line Interface Related Commands show startup-config (4-57) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-9. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance.
System Management Commands 4 show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
4 Command Line Interface Example Console#show version Unit1 Serial number Hardware version Number of ports Main power status Redundant power status Agent(master) Unit id Loader version Boot rom version Operation code version Console# :A305051234 :R0A :48 :up :not present :1 :1.0.0.1 :1.0.0.1 :1.2.0.4 Frame Size Commands Table 4-24 Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC Page 4-62 jumbo frame This command enables support for jumbo frames.
Flash/File Commands 4 Example Console(config)#jumbo frame Console(config)# Flash/File Commands These commands are used to manage the system code or configuration files.
4 Command Line Interface Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.
4 Flash/File Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.
4 Command Line Interface Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (4-66) delete public-key (4-38) dir This command displays a list of files in flash memory.
Flash/File Commands 4 Example The following example shows how to display all file information: Console#dir file name file type startup size (byte) -------------------------------- -------------- ------- ----------Unit1: Diag.bix Boot-Rom image Y 818812 V1204 Operation Code Y 2402452 Factory_Default_Config.
4 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage • A colon (:) is required after the specified file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-66) whichboot (4-67) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods.
Authentication Commands 4 Authentication Sequence Table 4-28 Authentication Sequence Commands Command Function Mode authentication login Defines logon authentication method and precedence GC Page 4-69 authentication enable Defines the authentication method and precedence for command mode change GC 4-70 authentication login This command defines the login authentication method and precedence. Use the no form to restore the default.
4 Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-20). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only. • tacacs - Use TACACS server password.
Authentication Commands 4 RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Command Line Interface Default Setting 1812 Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Authentication Commands 4 Example Console(config)#radius-server retransmit 5 Console(config)# radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Command Line Interface TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
4 Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Authentication Commands 4 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
4 Command Line Interface 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-32 802.1X Port Authentication Commands Command Function Mode dot1x system-auth-control Enables dot1x globally on the switch.
4 Authentication Commands authentication dot1x default This command sets the default authentication server type. Use the no form to restore the default. Syntax authentication dot1x default radius no authentication dot1x Default Setting RADIUS Command Mode Global Configuration Example Console(config)#authentication dot1x default radius Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#dot1x max-req 2 Console(config)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
Authentication Commands 4 dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
4 Command Line Interface dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication.
Authentication Commands 4 Command Mode Global Configuration Example Console(config)#dot1x timeout quiet-period 350 Console(config)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
4 Command Line Interface show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.
Authentication Commands 4 • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. • Reauthentication State Machine - State – Current state (including initialize, reauthenticate).
4 Command Line Interface Authenticator State Machine State Authenticated Reauth Count 0 Backend State Machine State Idle Request Count 0 Identifier(Server) 2 Reauthentication State Machine State Initialize Console# Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type).
4 Access Control List Commands • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
4 Command Line Interface Table 4-34 IP ACL Commands Command Function Mode Page mask Sets a precedence mask for the ACL rules IP-Mask 4-93 show access-list ip mask-precedence Shows the ingress or egress rule masks for IP ACLs PE 4-96 ip access-group Adds a port to an IP ACL IC 4-97 show ip access-group Shows port assignments for IP ACLs PE 4-97 map access-list ip Sets the CoS value and corresponding output queue for packets matching an ACL rule IC 4-98 show map access-list ip Shows
Access Control List Commands 4 Example Console(config)#access-list ip standard david Console(config-std-acl)# Related Commands permit, deny 4-89 ip access-group (4-97) show ip access-list (4-92) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address.
4 Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
4 Access Control List Commands Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
4 Command Line Interface Related Commands access-list ip (4-88) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 0.0.15.
Access Control List Commands 4 Command Usage • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is applied to a packet. • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.
4 Command Line Interface Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. • First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. • If you enter dscp, you cannot enter tos or precedence. You can enter both tos and precedence without dscp.
4 Access Control List Commands This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.
4 Command Line Interface This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
Access Control List Commands 4 Related Commands mask (IP ACL) (4-93) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. • out – Indicates that this list applies to egress packets.
4 Command Line Interface Related Commands ip access-group (4-97) map access-list ip This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping. Syntax [no] map access-list ip acl_name cos cos-value • acl_name – Name of the ACL. (Maximum length: 16 characters) • cos-value – CoS value.
Access Control List Commands 4 show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number.
4 Command Line Interface Command Usage • You must configure an ACL mask before you can change frame priorities based on an ACL rule. • Traffic priorities may be included in the IEEE 802.1p priority tag. This tag is also incorporated as part of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority keywords. • The IP frame header also includes priority bits in the Type of Service (ToS) octet.
Access Control List Commands 4 MAC ACLs Table 4-36 MAC ACL Commands Command Function Mode Page access-list mac Creates a MAC ACL and enters configuration mode GC 4-101 permit, deny Filters packets matching a specified source and destination address, packet format, and Ethernet type MAC-ACL 4-102 show mac access-list Displays the rules for configured MAC ACLs PE 4-103 access-list mac mask-precedence Changes to the mode for configuring access control masks GC 4-104 mask Sets a precedence
4 Command Line Interface Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny 4-102 mac access-group (4-107) show mac access-list (4-103) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
4 Access Control List Commands • • • • • • destination – Destination MAC address range with bitmask. address-bitmask* – Bitmask for MAC address (in hexidecimal format). vid – VLAN ID. (Range: 1-4095) vid-bitmask* – VLAN bitmask. (Range: 1-4095) protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) protocol-bitmask* – Protocol bitmask. (Range: 600-fff hex.) * For all bitmasks, “1” means care and “0” means ignore.
4 Command Line Interface Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 4-102 mac access-group (4-107) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs.
Access Control List Commands 4 mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask} [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] • pktformat – Check the packet format field. (If this keyword must be used in the mask, the packet format must be specified in ACL rule to match.
4 Command Line Interface Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
4 Access Control List Commands show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs.
4 Command Line Interface Related Commands show mac access-list (4-103) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (4-107) map access-list mac This command sets the output queue for packets matching an ACL rule.
4 Access Control List Commands Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (4-193) show map access-list mac (4-109) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface] interface • ethernet unit/port - unit - This is device 1.
4 Command Line Interface match access-list mac This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-list mac acl_name set priority priority no match access-list mac acl_name • acl_name – Name of the ACL. (Maximum length: 16 characters) • priority – Class of Service value in the IEEE 802.1p priority tag.
4 Access Control List Commands ACL Information Table 4-38 ACL Information Commands Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-111 show access-group Shows the ACLs assigned to each port PE 4-111 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e.
4 Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP Commands 4 Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
4 Command Line Interface Related Commands snmp-server contact (4-113) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [version {1 | 2c}] no snmp-server host host-addr • host-addr - Internet address of the host (the targeted recipient).
SNMP Commands 4 Related Commands snmp-server enable traps (4-115) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps (SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure traps. • link-up-down - Keyword to issue link-up or link-down traps. Default Setting Issue authentication and link-up-down traps.
4 Command Line Interface Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp System Contact: Paul System Location: WC-19 SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. alpha, and the privilege is read-write 2. private, and the privilege is read-write 3.
DNS Commands 4 DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
4 Command Line Interface Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device. Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 192.168.1.55 10.1.
DNS Commands 4 Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-119) ip name-server (4-120) ip domain-lookup (4-121) ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e.
4 Command Line Interface Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.
4 DNS Commands Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (4-118) ip domain-lookup (4-121) ip domain-lookup This command enables DNS host name-to-address translation.
4 Command Line Interface Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (4-118) ip name-server (4-120) show hosts This command displays the static host name-to-address mapping table.
4 DNS Commands show dns This command displays the configuration of the DNS server. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
4 Command Line Interface clear dns cache This command clears all entries in the DNS cache.
Interface Commands 4 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
4 Command Line Interface Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Interface Commands Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
4 Command Line Interface • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-128) speed-duplex (4-126) capabilities This command advertises the port capabilities of a given interface during autonegotiation.
Interface Commands 4 Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-127) speed-duplex (4-126) flowcontrol (4-129) flowcontrol This command enables flow control. Use the no form to disable flow control.
4 Command Line Interface Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-127) capabilities (flowcontrol, symmetric) (4-128) combo-forced-mode This command forces the port type selected for combination ports 21-24. Use the no form to restore the default mode.
4 Interface Commands Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
4 Command Line Interface Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - This is device 1. - port - Port number.
4 Interface Commands show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 Command Line Interface show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 Interface Commands show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 Command Line Interface Table 4-43 interfaces switchport - display description Field Description Ingress rule Shows if ingress filtering is enabled or disabled (page 4-176). Acceptable frame type Shows if acceptable VLAN frames include all types or tagged frames only (page 4-176). Native VLAN Indicates the default Port VLAN ID (page 4-177). Priority for untagged traffic Indicates the default priority for untagged frames (page 4-190).
Mirror Port Commands 4 Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner. • The destination port is set by specifying an Ethernet interface. • The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port.
4 Command Line Interface Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode :RX/TX Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an
Link Aggregation Commands 4 Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 600 Console(config-if)# Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
4 Command Line Interface • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface).
Link Aggregation Commands 4 lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
4 Command Line Interface Current status: Created by: lacp Link status: Up Operation speed-duplex: 1000full Flow control type: None Member Ports: Eth1/11, Eth1/12, Eth1/13, Console# lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link.
4 Link Aggregation Commands lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
4 Command Line Interface lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Link Aggregation Commands 4 Command Mode Interface Configuration (Ethernet) Command Usage • Setting a lower value indicates a higher effective priority. • If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
4 Command Line Interface Example Console#show lacp 1 counters Port Channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
Link Aggregation Commands 4 Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation, long timeout,
4 Command Line Interface Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------------Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0 Oper Key : 4 Admin State : defaulted, distributin
Address Table Commands 4 Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 Console# Table 4-50 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch.
4 Command Line Interface mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id • mac-address - MAC address. • interface • ethernet unit/port - unit - This is device 1. - port - Port number.
4 Address Table Commands clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database.
4 Command Line Interface means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address Vlan Type --------- ----------------- ---- ----------------Eth 1/ 1 00-e0-29-94-34-de 1 Delete-on-reset Console# mac-address-table aging-time This command sets the aging time for entries in the address table.
Spanning Tree Commands 4 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
4 Command Line Interface spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
4 Spanning Tree Commands Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
4 Command Line Interface Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Spanning Tree Commands 4 spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
4 Command Line Interface Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands 4 spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
4 Command Line Interface mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
Spanning Tree Commands 4 mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • priority - Priority of the a spanning tree instance.
4 Command Line Interface Command Usage The MST region name and revision number (page 4-162) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Spanning Tree Commands 4 max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage A MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside a MSTI region is never changed.
4 Command Line Interface spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Spanning Tree Commands 4 Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. • Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
4 Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# Related Commands spanning-tree portfast (4-166) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding.
Spanning Tree Commands 4 spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
4 Command Line Interface Default Setting • Ethernet – half duplex: 2,000,000; full duplex: 1,000,000; trunk: 500,000 • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices.
4 Spanning Tree Commands interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. • Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
4 Command Line Interface show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance_id] • interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) • instance_id - Instance identifier of the multiple spanning tree.
Spanning Tree Commands 4 Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.) :20 Root Forward Delay (sec.) :15 Max hops :20 Remaining hops :20 Designated Root :32768.0.
4 Command Line Interface Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------Configuration name:00 00 a3 42 00 80 Revision level:0 Instance Vlans -------------------------------------------------------------0 1-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
4 VLAN Commands Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
4 Command Line Interface • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
VLAN Commands 4 Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-130) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
4 Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
4 VLAN Commands Command Usage • Ingress filtering only affects tagged frames. • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). • If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded.
4 Command Line Interface Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add.
VLAN Commands 4 Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
4 Command Line Interface Displaying VLAN Information Table 4-56 Show VLAN Commands Command Function Mode show vlan Shows VLAN information NE, PE Page show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-133 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-135 4-180 show vlan This command shows VLAN information. Syntax show vlan [id vlan-id | name vlan-name] • id - Keyword to be followed by the VLAN ID.
4 VLAN Commands Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This section describes commands used to configure private VlANs. Table 4-57 Private VLAN Commands Command Function Mode Page pvlan Enables and configured private VLANS GC 4-181 show pvlan Displays the configured private VLANS PE 4-182 pvlan This command enables or configures a private VLAN. Use the no form to disable the private VLAN.
4 Command Line Interface show pvlan This command displays the configured private VLAN. Command Mode Privileged Exec Example Console#show pvlan Private VLAN status: Enabled Up-link port: Ethernet 1/24 Down-link port: Ethernet 1/1 Ethernet 1/2 Ethernet 1/3 Ethernet 1/4 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
4 VLAN Commands protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame_type frame protocol-type protocol] no protocol-vlan protocol-group group-id • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame - Frame type used by this protocol.
4 Command Line Interface Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-173), these interfaces will admit traffic of any protocol type into the associated VLAN.
4 VLAN Commands show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting The mapping for all interfaces is displayed.
4 Command Line Interface GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
GVRP and Bridge Extension Commands 4 show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-114 and “Displaying Bridge Extension Capabilities” on page 3-11 for a description of the displayed items.
4 Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows both global and interface-specific configuration.
GVRP and Bridge Extension Commands 4 Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration. • Timer values are applied to GVRP for all the ports on all VLANs.
4 Command Line Interface Related Commands garp timer (4-188) Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Priority Commands 4 queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
4 Command Line Interface switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority. Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero.
4 Priority Commands queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight8 no queue bandwidth weight1...weight8 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler. (Range: 1 - 15) Default Setting Weights 1, 2, 4, 6, 8, 10, 12, 14 are assigned to queues 0 - 7 respectively.
4 Command Line Interface Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
4 Priority Commands Example Console#show queue mode Queue mode: strict Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . Console# show queue cos-map This command shows the class of service priority map.
4 Command Line Interface Example Console#show queue Information of Eth CoS Value : 0 Priority Queue: 0 Console# cos-map ethernet 1/1 1/1 1 2 3 4 5 6 7 1 2 3 4 5 6 7 Priority Commands (Layer 3 and 4) Table 4-63 Priority Commands (Layer 3 and 4) Command Function Mode map ip port Enables TCP class of service mapping GC Page 4-196 map ip port Maps TCP socket to a class of service IC 4-197 map ip precedence Enables IP precedence class of service mapping GC 4-197 map ip precedence Maps IP prec
4 Priority Commands Example The following example shows how to enable TCP/UDP port mapping globally: Console(config)#map ip port Console(config)# map ip port (Interface Configuration) This command enables IP port mapping (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.(Range 1-65535) • cos-value - Class-of-Service value.
4 Command Line Interface Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type. Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e.
Priority Commands 4 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled.
4 Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0.
Priority Commands 4 Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port ethernet 1/5 TCP port mapping status: enabled Port Port no. COS --------- ---------- --Eth 1/ 5 80 0 Console# Related Commands map ip port (Global Configuration) (4-196) map ip port (Interface Configuration) (4-197) show map ip precedence This command shows the IP precedence priority map.
4 Command Line Interface Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --Eth 1/ 5 0 0 Eth 1/ 5 1 1 Eth 1/ 5 2 2 Eth 1/ 5 3 3 Eth 1/ 5 4 4 Eth 1/ 5 5 5 Eth 1/ 5 6 6 Eth 1/ 5 7 7 Console# Related Commands map ip port (Global Configuration) (4-196) map ip precedence (Interface Configuration) (4-198) show map ip dscp This command shows the IP DSCP priority map.
Multicast Filtering Commands 4 Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
4 Command Line Interface IGMP Snooping Commands Table 4-67 IGMP Snooping Commands Command Function Mode ip igmp snooping Enables IGMP snooping GC Page 4-204 ip igmp snooping vlan static Adds an interface as a member of a multicast group GC 4-204 ip igmp snooping version Configures the IGMP version for snooping GC 4-205 show ip igmp snooping Shows the IGMP snooping and query configuration PE 4-205 show mac-address-table multicast Shows the IGMP snooping MAC multicast list PE 4-206 ip
4 Multicast Filtering Commands Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
4 Command Line Interface Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-141 for a description of the displayed items.
Multicast Filtering Commands 4 IGMP Query Commands (Layer 2) Table 4-68 IGMP Query Commands (Layer 2) Command Function ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC Mode Page 4-207 ip igmp snooping query-count Configures the query count GC 4-207 ip igmp snooping query-interval Configures the query interval GC 4-208 ip igmp snooping query-max-response-time Configures the report delay GC 4-209 ip igmp snooping router-port-expire-time Configures the
4 Command Line Interface Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-maxresponse-time.
4 Multicast Filtering Commands ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5- 25) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect.
4 Command Line Interface Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect.
Multicast Filtering Commands 4 Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
4 Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
4 IP Interface Commands • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch.
4 Command Line Interface ip default-gateway This command establishes a static route between this switch and management stations that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established. Command Mode Global Configuration Command Usage A gateway must be defined if the management station is located in a different IP segment.
4 IP Interface Commands show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-214) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • host - IP address or IP alias of the host. • size - Number of bytes in a packet.
4 Command Line Interface Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) DHCP Client DNS Server Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH: 1000 Mbps, full duplex Flow Control Full Duplex: IEEE 802.
A Software Specifications Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1, 2, 3, 9) SMTP Email Alerts Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistic
Management Information Bases A RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 1907) SNTP (RFC 2030) SSH (Version 2.
A A-4 Software Specifications
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Glossary Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network.
Glossary Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25.
Glossary User Datagram Protocol (UDP) UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Index Numerics 802.
Index HTTPS 3-34, 4-31 HTTPS, secure server 3-34, 4-31 I IEEE 802.1D 3-91, 4-154 IEEE 802.1s 4-154 IEEE 802.1w 3-91, 4-154 IEEE 802.
Index R RADIUS, logon authentication 3-31, 4-71 rate limits, setting 3-83, 4-138 restarting the system 3-25, 4-22 RSTP 3-91, 4-154 global configuration 3-92, 4-154 static addresses, setting 3-88, 4-150 statistics, port 3-84, 4-134 STP 3-96, 4-154 STP Also see STA system clock, setting 3-26, 4-52 system software, downloading from server 3-16, 4-63 T S Secure Shell 3-36, 4-34 configuration 3-36, 4-37 Secure Shell configuration 4-37 serial port configuring 4-11 Simple Network Management Protocol See SNMP SN
Index Index-4
P/N: 90000441 REV.
