MANAGEMENT GUIDE ta SMC8126PL2-F TigerSwitchTM 10/100/1000 L2-Lite SMB PoE Gigabit Switch
TigerSwitch 10/100/1000 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason Irvine, CA 92618 Phone: (949) 679-8000 August 2009 Pub.
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice. Copyright © 2009 by SMC Networks, Inc. 20 Mason Irvine, CA 92618 All rights reserved.
About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
vi
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-6 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Managing S
Contents Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging System Log Configuration Remote Log Configuration Displaying Log Messages Simple Mail Transfer Protocol Renumbering the System Resetting the System Setting the System Clock Setting the Time Manually Configuring SNTP Setting the Time Zone Simple Network Management Protocol Enabling the SNMP Agent Setting Community Access Strings Specifying Trap M
Contents Generating the Host Key Pair Configuring the SSH Server Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Contents Setting a Switch Power Budget Displaying Port Power Status Configuring Port PoE Power Address Table Settings Setting Static Addresses Displaying the Address Table Changing the Aging Time Spanning Tree Algorithm Configuration Displaying Global Settings for STA Configuring Global Settings for STA Displaying Interface Settings for STA Configuring Interface Settings for STA Configuring Multiple Spanning Trees Displaying Interface Settings for MSTP Configuring Interface Settings for MSTP VLAN Configurat
Contents Quality of Service Configuring Quality of Service Parameters Configuring a Class Map Creating QoS Policies Attaching a Policy Map to Ingress Queues Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Enabling IGMP Immediate Leave Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for a Multicast Router Displaying Port Members of Multicast Services Assigning Ports to Multicast Services IGMP Filtering and Throttling Enabl
Contents Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups General Commands enable disable configure show history reload prompt end exit quit System Management Commands Device Designation Commands hostname System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame File Management Commands copy delete dir whi
Contents speed stopbits disconnect show line Event Logging Commands logging on logging history logging host logging facility logging trap clear log show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar Switch Cluster Commands cluster cluster commander cluster ip-pool cluster
Contents snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user Authentication Commands User Account and Privilege Level Commands username enable password privilege privilege rerun show privilege Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server
Contents Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet server Secure Shell Commands ip ssh server ip ssh timeout ip ssh authentication-retries ip ssh server-key size delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show ssh show public-key 802.
Contents show network-access mac-address-table DHCP Snooping Commands ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust ip dhcp snooping verify mac-address ip dhcp snooping information option ip dhcp snooping information policy show ip dhcp snooping show ip dhcp snooping binding IP Source Guard Commands ip source-guard ip source-guard binding show ip source-guard show ip source-guard binding Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended AC
Contents show interfaces switchport Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Mirror Port Commands port monitor show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan Rate Limit Commands rate-limit Power over Ethernet Commands power mainpower maximum allocation power inline compatible power inline power inline maximum allocati
Contents mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan
Contents Configuring Private VLANs private-vlan private vlan association switchport mode private-vlan switchport private-vlan host-association switchport private-vlan mapping show vlan private-vlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Class of Service Commands Priority Commands (Layer 2) queue mode switchport priority default queue
Contents IGMP Snooping Commands ip igmp snooping ip igmp snooping vlan static ip igmp snooping version ip igmp snooping leave-proxy ip igmp snooping immediate-leave show ip igmp snooping show mac-address-table multicast IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter
Contents ip default-gateway ip dhcp restart show ip interface show ip redirects ping 4-298 4-299 4-299 4-300 4-300 Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases A-1 A-1 A-2 A-2 A-3 Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs B-1 B-1 B-2 Glossary Index xxi
Contents xxii
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 3-15 Table 3-16 Table 3-17 Table 3-18 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Table 4-21 Table 4-22 Table 4-23 Key Features System Defaults Configuration Options Main Menu
Tables Table 4-25 Table 4-24 Table 4-26 Table 4-27 Table 4-28 Table 4-29 Table 4-30 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-61 Table 4-62 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-72 Table 4-73 Table 4-74 Table 4-75 xxiv Auth
Tables Table 4-76 Table 4-77 Table 4-78 Table 4-79 Table 4-81 Table 4-82 Table 4-83 Table 4-84 Table 4-85 Table 4-86 Table 4-87 Table 4-88 Table 4-89 Table 4-90 Table 4-91 Table 4-94 Table B-1 Priority Commands Priority Commands (Layer 2) Default CoS Values to Egress Queues Priority Commands (Layer 3 and 4) IP DSCP to CoS Vales Quality of Service Commands Multicast Filtering Commands IGMP Snooping Commands IGMP Query Commands (Layer 2) Static Multicast Routing Commands IGMP Filtering and Throttling Command
Tables xxvi
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Home Pag
Figures Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84
Figures Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 Figure 3-116 Figure 3-117 Figure 3-118 Figure 3-119 Figure 3-120 Figure 3-121 Figure 3-122 Figure 3-123 Figure 3-124 Figure 3-125 Figure 3-126 Figure 3-
Figures Figure 3-133 Figure 3-134 Figure 3-135 Figure 3-136 Figure 3-137 Figure 3-138 Figure 3-139 Figure 3-140 Figure 3-141 Figure 3-142 xxx MVR Port Configuration MVR Group Member Configuration DNS General Configuration DNS Static Host Table DNS Cache Cluster Member Choice Cluster Configuration Cluster Member Configuration Cluster Member Information Cluster Candidate Information 3-229 3-230 3-232 3-234 3-235 3-236 3-237 3-238 3-239 3-240
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 256 using IEEE 802.
Description of Software Features 1 Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded.
1 Introduction (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 4 Mbits for frame buffering. This buffer can queue packets awaiting transmission on congested networks. Spanning Tree Algorithm – The switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.
Description of Software Features 1 Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data.
1 Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-22). The following table lists some of the basic system defaults.
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only), “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default view Group: public (read only) private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None Port Configuration Broadcast
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default IP Settings IP Address DHCP assigned Multicast Filtering System Log Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see "Setting an IP Address" on page 2-4.
2 • • • • Initial Configuration Configure up to 32 static or LACP trunks Enable port mirroring Set broadcast, multicast or unknown unicast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see "Setting an IP Address" on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 4. If network connections are normally slow, type “ip dhcp restart” to re-start broadcasting service requests. Press . 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
Basic Configuration 2 The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Managing System Files 2 Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 16 Mbytes of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
2 2-10 Initial Configuration
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Navigating the Web Browser Interface 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Navigating the Web Browser Interface 3 Table 3-2 Main Menu (Continued) Menu Description SNMPv3 Engine ID Page 3-43 Sets the SNMP v3 engine ID on this switch 3-43 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-44 Users Configures SNMP v3 users on this switch 3-45 Remote Users Configures SNMP v3 users from a remote device 3-47 Groups Configures SNMP v3 groups 3-49 Views Configures SNMP v3 views Security User Accounts 3-52 3-54 Assigns a new password for the current u
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu 802.
Navigating the Web Browser Interface 3 Table 3-2 Main Menu (Continued) Menu Description Page Power Config Configures the power budget for the switch 3-136 Power Port Status Displays the status of port power parameters 3-136 Power Port Config Configures port power parameters Address Table 3-137 3-139 Static Addresses Displays entries for interface, address or VLAN 3-139 Dynamic Addresses Displays or edits static entries in the Address Table 3-140 Address Aging Sets timeout for dynamical
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Trunk Configuration Specifies default trunk VID and VLAN attributes 3-176 Tunnel Port Configuration Adds ports to a QinQ tunnel 3-182 Tunnel Trunk Configuration Adds trunks to a QinQ tunnel Private VLAN 3-182 3-184 Status Enables or disables the private VLAN 3-184 Link Status Configures the private VLAN 3-185 Protocol VLAN 3-185 Configuration Configures protocol VLANs 3-186 Port Configuration Configures p
Navigating the Web Browser Interface 3 Table 3-2 Main Menu (Continued) Menu Description Page IGMP Immediate Leave Enables the immediate leave function 3-212 Multicast Router Port Information Displays the ports that are attached to a neighboring multicast router for each VLAN ID 3-214 Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast router 3-215 IP Multicast Registration Table Displays all multicast groups active on this switch, including mu
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Binding Information Description Displays the DHCP Snooping binding information IP Source Guard Page 3-106 3-107 Port Configuration Enables IP source guard and selects filter type per port 3-107 Static Configuration Adds a static addresses to the source-guard binding table 3-109 Dynamic Information Displays the source-guard binding table for a selected interface Cluster 3-111 3-236 Configuration Globally enables clustering for the
Basic Configuration 3 Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem.
3 Configuring the Switch Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI – Specify the hostname, location and contact information.
Basic Configuration 3 Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • • • • Serial Number – The serial number of the switch. Number of Ports – Number of built-in RJ-45 ports. Hardware Version – Hardware version of the main board. Internal Power Status – Displays the status of the internal power supply.
3 Configuring the Switch CLI – Use the following command to display version information. Console#show version Unit 1 Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: MWOR0AA134A0009 R01 0.00 26 Up Not present Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.0.2 1.0.0.2 1.0.0.
Basic Configuration 3 Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
3 Configuring the Switch CLI – Enter the following command. Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: Extended multicast filtering services: Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Global GVRP status: GMRP: Console# 4-217 256 4094 No Yes IVL Yes No Enabled Disabled Disabled Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network.
3 Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.1 255.255.255.
3 Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Basic Configuration Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface.
3 Configuring the Switch Managing Firmware Just specify the method of file transfer, along with the file type and file names as required. By saving run-time code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. Only two copies of the system software (i.e., the run-time firmware) can be stored in the file directory on the switch.
Basic Configuration 3 Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file transfer method, enter the IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.
3 Configuring the Switch CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch. To start the new firmware, enter the “reload” command or reboot the system. Console#copy tftp file TFTP server ip address: 192.168.1.23 Choose file type: 1. config: 2.
Basic Configuration 3 Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File, Copy Operation.
3 Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.23 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
Basic Configuration 3 • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, 38400 baud; Default: 9600) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password1 – Specifies a password for the line connection.
3 Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
3 Basic Configuration • Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) • Login2 – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts.
3 Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
3 Basic Configuration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
3 Configuring the Switch • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-17 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
Basic Configuration 3 Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 3-18 Displaying Logs CLI – This example shows the event message stored in RAM. Console#show log ram [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification.
3 Configuring the Switch • SMTP Server – Specifies a new SMTP server address to add to the SMTP Server List. • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list. • Email Destination Address – This command specifies SMTP servers that may receive alert messages. Web – Click System, Log, SMTP.
Basic Configuration 3 CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
3 Configuring the Switch CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch. Console#reload System will be restarted, continue ? y 4-22 When restarting the system, it will always run the Power-On Self-Test. Console(config)#logging Console(config)#logging Console(config)#logging bill@this-company.com Console(config)#logging ted@this-company.com Console(config)#logging Console# sendmail host 192.168.1.
3 Basic Configuration Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See "calendar set" on page 4-55) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
3 Configuring the Switch Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 3-22 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.
Simple Network Management Protocol 3 Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply. Figure 3-23 Setting the System Clock CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Atlantic hours 4 minute 0 before-UTC Console(config)# 4-54 Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network.
3 Configuring the Switch Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3.
3 Simple Network Management Protocol Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Figure 3-24 Enabling SNMP Agent Status CLI – The following example enables SNMP on the switch.
3 Configuring the Switch Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-25 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw Console(config)# 4-63 Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers.
Simple Network Management Protocol 3 To send an inform to a SNMPv2c host, complete these steps: 1. Enable the SNMP agent (3-39). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (3-52). 4. Create a group that includes the required notify view (3-49). To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (3-39). 2. Enable trap informs as described in the following pages. 3.
3 Configuring the Switch • Enable Authentication Traps3 – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps3 – Issues a notification message whenever a port link is established or broken. (Default: Enabled) Web – Click SNMP, Configuration.
Simple Network Management Protocol 3 Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
3 Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent.
Simple Network Management Protocol 3 Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned.
3 Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
3 Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
3 Configuring the Switch Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. Figure 3-30 Configuring Remote SNMPv3 Users CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
Simple Network Management Protocol 3 Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3.
3 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description linkDown* 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus. linkUp** 1.3.6.1.6.3.1.1.5.
3 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
3 Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
3 Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 4-69 4-71 View Name: readaccess Subtree OID: 1.3.6.1.
3 Configuring the Switch User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
User Authentication 3 Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-33 Access Levels CLI – Assign a user name to access-level 15 (i.e.
3 Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
User Authentication 3 Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.
3 Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.
3 User Authentication CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
3 Configuring the Switch - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. • TACACS+ Settings - Global – Provides globally applicable TACACS+ encryption key settings. - ServerIndex – Specifies the index number of the TACACS+ server for which an encryption key may be configured.
User Authentication 3 AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. • Authorization — Determines if users can access specific services. • Accounting — Provides reports, auditing, and billing for services that users have accessed on the network.
3 Configuring the Switch Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) • Server Index - Specifies the RADIUS server and sequence to use for the group.
User Authentication 3 Configuring AAA TACACS+ Group Settings The AAA TACACS+ Group Settings screen defines the configured TACACS+ servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the TACACS+ server group. (1-255 characters) • Server - Specifies the TACACS+ server to use for the group. (Range: 1) When specifying the index for a TACACS+ server, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 3-56).
3 Configuring the Switch The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see "Configuring Local/Remote Logon Authentication" on page 3-56). Any other group name refers to a server group configured on the RADIUS or TACACS+ Group Settings pages. Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add.
3 User Authentication AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web – Click Security, AAA, Accounting, Periodic Update. Enter the required update interval and click Apply.
3 Configuring the Switch AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (3-62). (Range: 1-255 characters) Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply.
User Authentication 3 AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level. Web – Click Security, AAA, Accounting, Command Privileges. Enter a defined method name for console and Telnet privilege levels. Click Apply.
3 Configuring the Switch AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply. Figure 3-42 AAA Accounting Exec Settings CLI – Specify the accounting method to use for Console and Telnet interfaces.
User Authentication 3 Web – Click Security, AAA, Summary.
3 Configuring the Switch CLI – Use the following command to display the currently applied accounting methods, and registered users.
3 User Authentication Web – Click Security, AAA, Authorization, Settings. To configure a new authorization method, specify a method name and a group name, select the service, then click Add. Figure 3-44 AAA Authorization Settings CLI – Specify the authorization method required and the server group. Console(config)#aaa authorization exec default group tacacs+ Console(config)# 4-97 Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections.
3 Configuring the Switch CLI – Specify the authorization method to use for Console and Telnet interfaces. Console(config)#line console Console(config-line)#authorization exec tps-auth Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec tps-auth Console(config-line)# 4-31 4-98 Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied.
User Authentication 3 Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port. (HTTP can only be configured through the CLI using the ip http server command described on 4-100.
3 Configuring the Switch Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-47 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number.
User Authentication 3 Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
3 Configuring the Switch 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (4-25) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on 3-54.) The clients are subsequently authenticated using these keys.
3 User Authentication Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c. The client sends a signature generated using the private key to the switch. d.
3 Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
User Authentication 3 Configuring the SSH Server The SSH server includes basic settings for authentication. Note: You must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
3 Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-105 Console(config)#ip ssh timeout 100 4-106 Console(config)#ip ssh authentication-retries 5 4-106 Console(config)#ip ssh server-key size 512 4-107 Console(config)#end Console#show ip ssh 4-109 SSH Enabled - version 2.
User Authentication 3 TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network.
3 Configuring the Switch CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 4-118 802.1X Port Summary Port Name Status 1/1 disabled 1/2 disabled . . . 802.1X Port Details Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a 802.1X is disabled on port 1/1 . . . 802.1X is disabled on port 1/26 Console# Configuring 802.1X Global Settings The 802.
3 User Authentication Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section. Command Attributes • Port – Port number. • Status – Indicates if authentication is enabled or disabled on the port.
3 Configuring the Switch Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 3-52 802.
User Authentication 3 CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see "show dot1x" on page 4-118.
3 Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
3 User Authentication CLI – This example displays the 802.1X statistics for port 4.
3 Configuring the Switch Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-54 Creating an IP Filter List CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.
General Security Measures 3 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
3 Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
3 Access Control Lists Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
3 Configuring the Switch • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. The order in which active ACLs are checked is as follows: 1. User-defined rules in the Egress IP ACL for egress ports.
Access Control Lists 3 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields. (Options: Any, Host, IP; Default: Any) • IP Address – Source IP address.
3 Configuring the Switch Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
3 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
3 Configuring the Switch Configuring a MAC ACL Use this page to configure ACLs based on hardware addresses, packet format, and Ethernet type. Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Access Control Lists 3 Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
3 Configuring the Switch Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage • Each ACL can have up to 32 rules. • This switch supports ACLs for ingress filtering only. • You only bind one ACL to any port for ingress filtering. Command Attributes • • • • • Port – Fixed port or SFP module.
Access Control Lists 3 CLI – This example assigns an IP access list to port 1, and an IP access list to port 3.
3 Configuring the Switch Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-61 Creating an IP Filter List CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.
Access Control Lists 3 DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
3 Configuring the Switch - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. - If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
Access Control Lists 3 DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs. Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
3 Configuring the Switch Command Usage • DHCP Snooping (see 3-102) must be enabled for Option 82 information to be inserted into request packets. • When Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Access Control Lists 3 CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace.
3 Configuring the Switch Web – Click DHCP Snooping, Port Configuration. Set any ports within the local network or firewall to trusted, and click Apply. Figure 3-65 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports.
3 Access Control Lists • IP Address Type – Indicates an IPv4 address type. • Lease Time (Seconds) – The time for which this IP address is leased to the client. Web – Click DHCP Snooping, DHCP Snooping Binding Information. Figure 3-66 DHCP Snooping Binding Information CLI – This example shows how to display the DHCP Snooping binding table entries.
3 Configuring the Switch Command Usage • Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address. If no matching entry is found, the packet is dropped.
3 Access Control Lists Web – Click IP Source Guard, Port Configuration. Set the required filtering type for each port and click Apply. Figure 3-67 IP Source Guard Port Configuration CLI – This example shows how to enable IP source guard on port 5 to check the source IP address for ingress packets against the binding table.
3 Configuring the Switch - If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Command Attributes • • • • • • Static Binding Table Counts – The total number of static entries in the table. Current Static Binding Table – The list of current static entries in the table. Port – Switch port number.
Access Control Lists 3 Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) • Dynamic Binding Table Counts – Displays the number of IP addresses in the source-guard binding table.
3 Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • • Name – Interface label. Type – Indicates the port type. (1000BASE-T or 1000BASE-SFP) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
Port Configuration 3 Configuration: • • • • • • • • • • • • • • • • Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex – Shows the current speed and duplex mode. (Auto, or fixed choice) Capabilities – Specifies the capabilities to be advertised for a port during auto-negotiation. (To access this item on the web, see "Configuring Interface Connections" on page 3-114.) The following capabilities are supported.
3 Configuring the Switch CLI – This example shows the connection status for Port 5.
3 Port Configuration • • • • • problem has been resolved. You may also disable an interface for security reasons. Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) Flow Control – Allows automatic or manual selection of flow control. Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised.
3 Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
Port Configuration 3 • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN. • STP, VLAN, and IGMP settings can only be made for the entire trunk.
3 Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-26/50) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
3 Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
Port Configuration 3 - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-65535; Default: 1) • Port Priority – If a link goes down, LACP port priority is used to select a backup link.
3 Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-155 Console(config-if)#lacp actor system-priority 3 4-170 Console(config-if)#lacp actor admin-key 120 4-171 Console(config-if)#lacp actor port-priority 128 4-173 Console(config-if)#exit . . .
Port Configuration 3 Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
3 Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Interval Number of seconds before invalidating received LACPDU information.
Port Configuration 3 Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-76 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
3 Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol.
Port Configuration 3 CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
3 Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-78 Port Broadcast Control Configuring Local Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Port Configuration 3 Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 3-79 Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port and traffic type.
3 Configuring the Switch Web – Click Port, Rate Limit, Input/Output Port/Trunk Configuration. Enable the Rate Limit Status for the required interfaces, then set the rate limit for the individual interfaces, and click Apply. Figure 3-80 Input Rate Limit Port Configuration CLI - This example sets the rate limit level for input traffic passing through port 3.
3 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Multicast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer. Received Broadcast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a broadcast address at this sub-layer.
3 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision. Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame. SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface.
3 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
3 Configuring the Switch Figure 3-81 Port Statistics CLI – This example shows statistics for port 13.
Power Over Ethernet Settings 3 power, if necessary by dropping power to ports set for a lower priority. If power is dropped to some low-priority ports and later the power demands on the switch fall back within its budget, the dropped power is automatically restored. Switch Power Status Displays the Power over Ethernet parameters for the switch. Command Attributes • Maximum Available Power – The configured power budget for the switch.
3 Configuring the Switch Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power. Command Attributes Power Allocation – The power budget for the switch.
Power Over Ethernet Settings 3 re-enabled when the overload condition is no longer detected on the port. (Default: Disabled) Web – Click PoE, Power Port Status. Figure 3-84 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1.
3 Configuring the Switch • If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is turned on, but the switch drops power to one or more lower-priority ports. Note: Power is dropped from low-priority ports in sequence starting from port number 1. Command Attributes • Port – The port number on the switch. • Admin Status – Enables PoE power on the port.
3 Address Table Settings Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
3 Configuring the Switch Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports. Command Attributes • • • • Interface – Indicates a port or trunk.
Address Table Settings 3 CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# 4-194 Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function.
3 Configuring the Switch Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Spanning Tree Algorithm Configuration 3 MSTP – MSTP When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing.
3 Configuring the Switch Once you specify the VLANs to include in a Multiple Spanning Tree Instance (MSTI), the protocol will automatically build an MSTI tree to maintain connectivity among each of the VLANs. MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree (CST). Displaying Global Settings for STA You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Spanning Tree Algorithm Configuration 3 These additional parameters are only displayed for the CLI: • Spanning tree mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs Configuration – VLANs assigned to the CIST.
3 Configuring the Switch Web – Click Spanning Tree, STA, Information. Figure 3-89 Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: RSTP Spanning Tree Enabled/Disabled: Disabled Instance: 0 VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.
Spanning Tree Algorithm Configuration 3 Configuring Global Settings for STA Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol9 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
3 Configuring the Switch • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
3 Spanning Tree Algorithm Configuration • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
3 Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
3 Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters.
3 Configuring the Switch • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Spanning Tree Algorithm Configuration 3 These additional parameters are only displayed for the CLI: • Admin Status – Shows if this interface is enabled. • External Admin Path Cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
3 Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin Status: Enabled Role: Root State: Forwarding Admin Path Cost: 100000 Oper Path Cost: 100000 Priority: 128 Designated Cost: 0 Designated Port: 128.13 Designated Root: 32768.0001ECF8D8C6 Designated Bridge: 32768.
Spanning Tree Algorithm Configuration 3 The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
3 Configuring the Switch Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001 Ethernet Half Duplex Full Duplex Trunk 2,000,000 1,000,000 500,000 Fast Ethernet Half Duplex Full Duplex Trunk 200,000 100,000 50,000 Gigabit Ethernet Full Duplex Trunk 10,000 5,000 • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges.
Spanning Tree Algorithm Configuration 3 Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-92 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7.
3 Configuring the Switch Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region.
Spanning Tree Algorithm Configuration 3 Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 3-93 Configuring Multiple Spanning Trees CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI.
3 Configuring the Switch CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 1 VLANs Configuration: 1 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.
Spanning Tree Algorithm Configuration 3 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes • MST Instance ID – Instance identifier to configure. (Default: 0) The other attributes are described under "Displaying Interface Settings for STA" on page 3-151 Web – Click Spanning Tree, MSTP, Port or Trunk Information.
3 Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree.
Spanning Tree Algorithm Configuration 3 Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See "Displaying Interface Settings for STA" on page 3-151 for additional information.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-95 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if) VLAN Configuration IEEE 802.
3 VLAN Configuration This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Note: The switch allows 255 user-manageable VLANs.
3 Configuring the Switch Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.
3 VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged or untagged VLANs. Each port on the switch is therefore capable of passing tagged or untagged frames.
3 Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number12 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information.
VLAN Configuration 3 Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging. Command Attributes (Web) • VLAN ID – ID of configured VLAN (1-4094). • Up Time at Creation – Time this VLAN was created (i.e., System Up Time).
3 Configuring the Switch • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI – Current VLAN information can be displayed with the following command.
3 VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add.
3 Configuring the Switch CLI – This example creates a new VLAN.
3 VLAN Configuration Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-100 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2.
3 VLAN Configuration Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk).
3 Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
VLAN Configuration 3 • GARP Leave Timer13 – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer13 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group.
3 Configuring the Switch Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
3 VLAN Configuration customer’s network. The packet is sent as a normal IEEE 802.1Q-tagged frame, preserving the original VLAN numbers used in the customer’s network. Layer 2 Flow for Packets Coming into a Tunnel Access Port A QinQ tunnel port may receive either tagged or untagged packets. No matter how many tags the incoming packet has, it is treated as tagged packet. The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
3 Configuring the Switch Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
VLAN Configuration 3 • Static trunk port groups are compatible with QinQ tunnel ports as long as the QinQ configuration is consistent within a trunk port group. • The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoiding using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration. Instead, use VLAN 1 as a management VLAN instead of a data VLAN in the service provider network.
3 Configuring the Switch incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. • All ports on the switch will be set to the same ethertype. Command Attributes • 802.1Q Tunnel – Sets the switch to QinQ mode, and allows the QinQ tunnel port to be configured.
3 VLAN Configuration the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames (see "Displaying Basic VLAN Information" on page 3-168). Command Attributes Mode – Set the VLAN membership mode of the port. (Default: Normal) • None – The port operates in its normal VLAN mode. (This is the default.) • 802.1Q Tunnel – Configures IEEE 802.1Q tunneling (QinQ) for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network.
3 Configuring the Switch Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function. Web – Click VLAN, Private VLAN, Status.
3 VLAN Configuration Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
3 Configuring the Switch Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (3-170). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Protocol VLAN Configuration page. 3.
VLAN Configuration 3 CLI – This example creates protocol group 1 for Ethernet frames using the IP protocol, and group 2 for Ethernet frames using the ARP protocol. Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 2 add frame-type ethernet protocol-type arp Console(config)# 4-241 Mapping Protocols to VLANs Use the Protocol VLAN Port Configuration menu to map a Protocol VLAN Group to a VLAN.
3 Configuring the Switch Web – Click VLAN, Protocol VLAN, Port Configuration. Figure 3-108 Protocol VLAN Port Configuration CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 2 to VLAN 2.
Class of Service Configuration 3 Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
3 Configuring the Switch Command Attributes • Default Priority14 – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-109 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3.
Class of Service Configuration 3 Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
3 Configuring the Switch Web – Click Priority, Traffic Classes. Select a port or trunk for the current mapping of CoS values to output queues to be displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-110 Traffic Classes CLI – The following example shows how to change the CoS assignments.
Class of Service Configuration 3 Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced.
3 Configuring the Switch Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in "Mapping CoS Values to Egress Queues" on page 3-191, the traffic classes are mapped to one of the four egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities).
3 Class of Service Configuration Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP/UDP port.
3 Configuring the Switch Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth). Bits 6 and 7 are used for network control, and the other bits for various application types.
3 Class of Service Configuration CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
3 Configuring the Switch Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS value to the selected DSCP Priority value. Note that “0” represents low priority and “7” represent high priority. Note: IP DSCP settings apply to all interfaces. Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply.
Class of Service Configuration 3 Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes • IP Port Priority Status – Enables or disables the IP port priority. • IP Port Priority Table – Shows the IP port to CoS map. • IP Port Number (TCP/UDP) – Set a new IP port number.
3 Configuring the Switch CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. Console(config)#map ip port Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)#end Console#show map ip port ethernet 1/5 TCP port mapping status: disabled 4-250 4-251 4-254 Port Port no.
Quality of Service 3 Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the “Class Map” to designate a class name for a specific category of traffic. 2. Edit the rules for each class to specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. 3. Use the “Policy Map” to designate a policy name for a specific manner in which ingress traffic will be handled. 4.
3 Configuring the Switch Class Configuration • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. • Description – A brief description of a class map. (Range: 1-64 characters) • Add – Adds the specified class. • Back – Returns to previous page with making any changes. Match Class Settings • Class Name – List of class maps.
Quality of Service 3 Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-118 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
3 Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on 3-201. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
Quality of Service 3 Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on 3-201). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
3 Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
Quality of Service 3 CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
3 Configuring the Switch CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 Console(config-if)#service-policy input rd_policy#3 Console(config-if)# 4-155 4-264 Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client.
3 Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (3-210) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports.
3 Configuring the Switch Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
3 Multicast Filtering • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic. This feature is not supported for IGMPv3 snooping. (Default: Enabled) • IGMP Leave Proxy Status — Suppresses leave messages unless received from the last member port in the group.
3 Configuring the Switch CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Multicast Filtering 3 Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply. Figure 3-122 IGMP Immediate Leave CLI – This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status.
3 Configuring the Switch Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
3 Multicast Filtering Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
3 Configuring the Switch Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
3 Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in "Configuring IGMP Snooping and Query Parameters" on page 3-210. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
3 Configuring the Switch CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 Console(config)#exit Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.1.12 Eth1/12 USER 1 224.1.2.
Multicast Filtering 3 Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile number by entering the number in text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-127 Enabling IGMP Filtering and Throttling CLI – This example enables IGMP filtering and creates a profile number, then displays the current status and the existing profile numbers.
3 Configuring the Switch • Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) • New Multicast Address Range List – Specifies multicast groups to include in the profile. Specify a multicast group range by entering a start and end IP address. Specify a single multicast group by entering the same IP address for the start and end of the range. Click the Add button to add a range to the current list.
3 Multicast Filtering CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)#end Console#show ip igmp profile 19 IGMP Profile 19 permit range 239.1.1.
3 Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-129 IGMP Filter and Throttling Port Configuration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed.
Multicast Filtering 3 Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
3 Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN. Command Usage IGMP snooping and MVR share a maximum number of 256 groups.
Multicast Filtering 3 Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-130 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.
3 Configuring the Switch Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
3 Multicast Filtering Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Web – Click MVR, Group IP Information.
3 Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
3 Multicast Filtering - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) • Trunk18 – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Configuration.
3 Configuring the Switch Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage • Any multicast groups that use the MVR VLAN must be statically assigned to it under the MVR Configuration menu (see"Configuring Global MVR Settings" on page 3-224). • The IP address range from 224.0.0.0 to 239.255.255.
3 Configuring Domain Name Service Configuring Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
3 Configuring the Switch Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-135 DNS General Configuration CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.
3 Configuring Domain Name Service Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. • Servers or other network devices may support one or more connections via multiple IP addresses.
3 Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-136 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.
3 Configuring Domain Name Service Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. • Type – This field includes ADDRESS which specifies the host address for the owner, and CNAME which specifies an alias. • IP – The IP address associated with this record.
3 Configuring the Switch Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. Command Usage • A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster.
3 Switch Clustering • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 16. Note that you cannot change the cluster IP pool when the switch is currently in Commander mode. Commander mode must first be disabled.
3 Configuring the Switch Cluster Member Configuration Adds Candidate switches to the cluster as Members. Command Attributes • Member ID – Specify a Member ID number for the selected Candidate switch. (Range: 1-16) • MAC Address – Select a discovered switch MAC address from the Candidate Table, or enter a specific MAC address of a known switch. Web – Click Cluster, Member Configuration.
3 Switch Clustering Displaying Information on Cluster Members Use the Cluster Member Information page to display information on current cluster Member switches. Command Attributes • • • • • Member ID – The ID number of the Member switch. Role – Indicates the current status of the switch in the cluster. IP Address – The internal cluster IP address assigned to the Member switch. MAC Address – The MAC address of the Member switch. Description – The system description string of the Member switch.
3 Configuring the Switch Cluster Candidate Information Use the Cluster Candidate Information page to display information about discovered switches in the network that are already cluster Members or are available to become cluster Members. Command Attributes • Role – Indicates the current status of Candidate switches in the network. • MAC Address – The MAC address of the Candidate switch. • Description – The system description string of the Candidate switch. Web – Click Cluster, Candidate Information.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands 4 The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information protocol-vlan Protocol-VLAN information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.
4 Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 4 Username: guest Password: [guest login password] CLI session with SMC8126PL2-F is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
4 Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Entering Commands 4 Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
4 Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below.
4 General Commands The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) SG (Server Group) VC (VLAN Database Configuration) General Commands These commands are used to control the command access mode, configuration mode, and other bas
4 Command Line Interface Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-78.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
4 General Commands Example Console#configure Console(config)# Related Commands end (4-14) show history This command shows the contents of the command history buffer. Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
4 Command Line Interface Command Mode Privileged Exec Command Usage • This command resets the entire system. • When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Example This example shows how to reset the switch: Console#reload System will be restarted, continue ? y prompt This command customizes the CLI prompt.
General Commands 4 exit This command returns to the previous configuration mode or exit the configuration program. Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program.
4 Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
System Management Commands 4 Example Console(config)#hostname RD#1 Console(config)# System Status Commands This section describes commands used to display system information.
4 Command Line Interface Example Console#show startup-config building startup-config, please wait..... !00 !01_00-13-f7-12-31-23_01 ! phymap 00-13-f7-12-31-23 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
System Management Commands 4 Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
4 Command Line Interface Example Console#show running-config building startup-config, please wait..... !00 !01_00-13-f7-12-31-23_01 ! phymap 00-13-f7-12-31-23 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
4 System Management Commands show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to "Displaying System Information" on page 3-11. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: SMC TigerSwitch 10/100/1000 PoE SMC8126PL2-F System OID String: 1.3.6.1.4.1.202.20.
4 Command Line Interface Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.19 Web online users: Line Remote IP addr Username Idle time (h:m:s). ----------- -------------- -------- -----------------1 HTTP 192.
4 System Management Commands Frame Size Commands Table 4-9 Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC Page 4-23 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10 KB for the Gigabit Ethernet ports.
4 Command Line Interface File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from an TFTP server. By saving run-time code to a file on an TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
System Management Commands 4 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
4 Command Line Interface • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate" on page 3-74. For information on configuring the switch to use HTTPS for a secure connection, see "ip http secure-server" on page 4-100.
4 System Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
4 Command Line Interface delete This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete 1:test2.
System Management Commands 4 • File information is shown below: Table 4-11 File Directory Information Column Heading Description File name The name of the file. File type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Size The length of the file in bytes.
4 Command Line Interface boot system This command specifies the image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • • • • boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of the configuration file or code image. * The colon (:) is required.
System Management Commands 4 Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
4 Command Line Interface Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands show line (4-39) show users (4-21) login This command enables password checking at login.
4 System Management Commands Example Console(config-line)#login local Console(config-line)# Related Commands username (4-77) password (4-33) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password • password - Character string that specifies the line password.
4 Command Line Interface timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
System Management Commands 4 Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default setting.
4 Command Line Interface Related Commands silent-time (4-36) timeout login response (4-13) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response.
System Management Commands 4 Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (4-37) parity This command defines the generation of a parity bit.
4 Command Line Interface speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps, or auto) Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
System Management Commands 4 Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection.
4 Command Line Interface Example To show all lines, enter this command: Console#show line Console Configuration: Password Threshold: 3 times Interactive Timeout: 600 sec Login Timeout: Disabled Silent Time: Disabled Baudrate: auto Databits: 8 Parity: None Stopbits: 1 VTY Configuration: Password Threshold: 3 times Interactive Timeout: 600 sec Login Timeout: 300 sec console# Event Logging Commands Table 4-13 Event Logging Commands Command Function Mode logging on Controls logging of error messages GC
System Management Commands 4 logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory.
4 Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
4 System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • Use this command more than once to build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the level arguments listed below. Messages sent include the selected level up through level 0. (Refer to the table on page 4-42.
System Management Commands 4 Related Commands show logging (4-45) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
4 Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG Status: disable REMOTELOG Facility Type: local use 7 REMOTELOG Level Type: Debugging messages REMOTELOG Server IP Address: 1.2.3.4 REMOTELOG Server IP Address: 0.0.0.0 REMOTELOG Server IP Address: 0.0.0.0 REMOTELOG Server IP Address: 0.0.0.0 REMOTELOG Server IP Address: 0.0.0.
System Management Commands 4 Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [3] 00:00:54 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [2] 00:00:50 2001-01-01 "STA topology change notification.
4 Command Line Interface Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
4 System Management Commands logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages.
4 Command Line Interface logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------1. 192.168.1.
System Management Commands 4 Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
4 Command Line Interface Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.19 Console# Related Commands sntp server (4-52) sntp poll (4-53) show sntp (4-53) sntp server This command sets the IP address of the servers to which SNTP time requests are issued.
4 System Management Commands sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
4 Command Line Interface clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-12 hours before; 0-13 hours after) • minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) • before-utc - Sets the local time zone before (east) of UTC.
4 System Management Commands calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • • • • • hour - Hour in 24-hour format. (Range: 0-23) min - Minute. (Range: 0-59) sec - Second. (Range: 0-59) day - Day of month.
4 Command Line Interface Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
System Management Commands 4 Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. • Switch clusters are limited to the same Ethernet broadcast domain.
4 Command Line Interface cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage • An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
System Management Commands 4 Command Usage • The maximum number of cluster Members is 16. • The maximum number of switch Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id - The ID number of the Member switch.
4 Command Line Interface show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: TigerSwitch 10/100/1000 SPORT MANAGE Console# show cluster candidates This command shows the discovered Candidate switches in the network.
SNMP Commands 4 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
4 Command Line Interface snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
SNMP Commands 4 Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
4 SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-64) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
4 Command Line Interface Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. • The snmp-server host command is used in conjunction with the snmp-server enable traps command.
SNMP Commands 4 exist, and the switch will not authorize SNMP access for the host. However, if you specify a V3 host with the “noauth” option, an SNMP user account will be generated, and the switch will authorize SNMP access for the host. Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (4-67) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e.
4 Command Line Interface Related Commands snmp-server host (4-65) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • • • • local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - The Internet address of the remote device.
SNMP Commands 4 Related Commands snmp-server host (4-65) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP EngineID: 8000002a8000000000e8666672 Local SNMP Engine Boots: 1 Remote SNMP EngineID 80000000030004e2b316c54321 Console# IP Address 192.168.1.19 Table 4-21 show snmp engine-id - display description Field Description Local SNMP EngineID String identifying the engine ID.
4 Command Line Interface Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.
4 SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 4-22 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
4 Command Line Interface Default Setting • • • • Default groups: public20 (read only), private21 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
SNMP Commands 4 show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
4 Command Line Interface Table 4-23 show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View.
4 SNMP Commands Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-68) to specify the engine ID for the remote device where the user resides.
4 Command Line Interface Table 4-24 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device.
4 Authentication Commands User Account and Privilege Level Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-31), user authentication via a remote authentication server (page 4-76), and host access authentication for specific ports (page 4-112).
4 Command Line Interface Command Mode Global Configuration Command Usage • Privilege level 0 provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Level 15 provides full access to all commands. • The encrypted password is required for compatibility with legacy password settings (i.e.
Authentication Commands 4 Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (4-11) authentication enable (4-82) privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command • mode - The configuration mode containing the specified command.
4 Command Line Interface Command Usage Due to system limitations in the current software, privilege commands (page 4-79) entered during the current switch session will not be stored properly in the running-config file (see show running-config on page 4-18). The privilege rerun command must therefore be used to correctly update these commands to the running-config file.
Authentication Commands 4 authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. • tacacs - Use TACACS server password. Default Setting Local Command Mode Global Configuration Command Usage • RADIUS uses UDP while TACACS+ uses TCP.
4 Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-11). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only. • tacacs - Use TACACS server password.
Authentication Commands 4 RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Command Line Interface Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port-number no radius-server port port-number - RADIUS server UDP port used for authentication messages.
4 Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
4 Command Line Interface Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings Communication Key with RADIUS Server: Auth-Port: 1812 Retransmit Times: 2 Request Timeout: 5 Sever 1: Server IP Address: 192.168.1.
Authentication Commands 4 tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host host-ip-address [port port-number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) • host-ip-address - IP address of the server. • port-number - The TACACS+ server TCP port used for authentication messages.
4 Command Line Interface Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
Authentication Commands 4 tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Command Line Interface AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Authentication Commands 4 Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) • ip-address - Specifies the host IP address of a server.
4 Command Line Interface aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
4 Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
4 Command Line Interface aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} • level - The privilege level for executing commands. (Range: 0-15) • default - Specifies the default accounting method for service requests.
4 Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
4 Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec • default - Specifies the default method list created with the aaa accounting exec command (page 4-93).
Authentication Commands 4 Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} • default - Specifies the default authorization method for Exec access.
4 Command Line Interface authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-97). • list-name - Specifies a method list created with the aaa authorization exec command.
4 Authentication Commands Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
4 Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-100) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
4 Authentication Commands • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.
4 Command Line Interface Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
Authentication Commands 4 Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
4 Command Line Interface Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.
4 Authentication Commands d) The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e) The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
4 Command Line Interface Related Commands ip ssh crypto host-key generate (4-108) show ssh (4-110) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Authentication Commands 4 Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-109) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
4 Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.
4 Authentication Commands Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
4 Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
Authentication Commands 4 show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
4 Command Line Interface 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-37 802.1X Port Authentication Command Function Mode Page 4-112 dot1x system-auth-control Enables dot1x globally on the switch.
4 Authentication Commands dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
4 Command Line Interface Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Authentication Commands 4 dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
4 Command Line Interface Related Commands dot1x timeout re-authperiod (4-116) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
4 Authentication Commands dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
4 Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout supp-timeout 300 Console(config-if)# show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Authentication Commands - max-req - Status - Operation Mode - Max Count - Port-control - Supplicant - Current Identifier 4 – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-113). – Authorization status (authorized or not). – Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port. – The maximum number of hosts allowed to access this port (page 4-114).
4 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/26 Status disabled enabled Operation Mode Single-Host Single-Host Mode ForceAuthorized auto Authorized n/a yes disabled Single-Host ForceAuthorized n/a 802.1X Port Details 802.1X is disabled on port 1/1 802.
4 Authentication Commands Management IP Filter Commands This section describes commands used to configure IP management access to the switch.
4 Command Line Interface Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
4 General Security Measures General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this section.
4 Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
General Security Measures 4 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • Use the port security command to enable security on a port.
4 Command Line Interface Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
General Security Measures 4 Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures. Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# network-access mode Use this command to enable network access authentication on a port.
4 Command Line Interface indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.” Example Console(config-if)#network-access mode mac-authentication Console(config-if)# mac-authentication reauth-time Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value.
4 General Security Measures Example Console(config-if)#mac-authentication intrusion-action block-traffic Console(config-if)# mac-authentication max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via 802.1X authentication or MAC authentication. Use the no form of this command to restore the default. Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of 802.
4 Command Line Interface Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 --------------------------------------------------------------------------------------------------Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment : Enabled Guest VLAN : Disabled Console# show network-access mac-address-table
General Security Measures 4 Example Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
4 Command Line Interface ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an insecure interface from outside the network or fire wall.
General Security Measures 4 MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. * If the DHCP packet is not a recognizable type, it is dropped. - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
4 Command Line Interface packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-134). • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
General Security Measures 4 • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted.
4 Command Line Interface ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
General Security Measures 4 ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} • drop - Drops the client’s request packet instead of relaying it. • keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
4 Command Line Interface show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: 1 Verify Source Mac-Address: enable Interface Trusted ------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No Eth 1/4 No Eth 1/5 Yes . . .
General Security Measures 4 IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping Commands" on page 4-131). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
4 Command Line Interface • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. • Static addresses entered in the source guard binding table with the ip source-guard binding command (page 4-141) are automatically configured with an infinite lease time.
General Security Measures 4 ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id • • • • • mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4094) ip-address - A valid unicast IP address, including classful types A, B or C.
4 Command Line Interface Related Commands ip source-guard (4-139) ip dhcp snooping (4-132) ip dhcp snooping vlan (4-133) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . . .
Access Control List Commands 4 Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port. This section describes the Access Control List commands.
4 Command Line Interface access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl-name – Name of the ACL.
Access Control List Commands 4 permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address.
4 Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, or source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
4 Access Control List Commands Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
4 Command Line Interface Related Commands access-list ip (4-144) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl-name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. • acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces) Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.
Access Control List Commands 4 Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-148) show ip access-group This command shows the ports assigned to IP ACLs.
4 Command Line Interface access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl-name acl-name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
4 Access Control List Commands [no] {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] [no] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [no] {permit | deny} untagged-802.
4 Command Line Interface Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (4-150) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Access Control List Commands 4 Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (4-152) show mac access-group This command shows the ports assigned to MAC ACLs.
4 Command Line Interface ACL Information Table 4-47 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-154 show access-group Shows the ACLs assigned to each port PE 4-154 show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.16.0 255.255.240.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.
Interface Commands 4 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
4 Command Line Interface Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Interface Commands Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
4 Command Line Interface Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation.
Interface Commands 4 Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
4 Command Line Interface • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
4 Interface Commands Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
4 Command Line Interface Example The following shows how to configure broadcast storm control at 500 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 500 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Interface Commands show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 Command Line Interface Console#show interfaces status vlan 1 Information of VLAN 1 MAC Address: 00-12-CF-12-34-56 Console# show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows the counters for all interfaces.
4 Interface Commands RMON stats: Drop events: 0, Octets: 227208, Packets: 3338 Broadcast pkts: 263, Multi-cast pkts: 3064 Undersize pkts: 0, Oversize pkts: 0 Fragments: 0, Jabbers: 0 CRC align errors: 0, Collisions: 0 Packet size <= 64 octets: 3150, Packet size 65 to 127 octets: 139 Packet size 128 to 255 octets: 49, Packet size 256 to 511 octets: 0 Packet size 512 to 1023 octets: 0, Packet size 1024 to 1518 octets: 0 Console# show interfaces switchport This command displays the administrative and operati
4 Command Line Interface Private-VLAN Mode: Private-VLAN host-association: Private-VLAN Mapping: 802.1Q-tunnel Status: 802.1Q-tunnel Mode: 802.1Q-tunnel TPID: Console# Table 4-49 NONE NONE NONE Disable NORMAL 8100(Hex) Interfaces Switchport Statistics Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 4-161).
Link Aggregation Commands 4 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
4 Command Line Interface Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Link Aggregation Commands 4 lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
4 Command Line Interface Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established.
4 Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
4 Command Line Interface • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Link Aggregation Commands 4 lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
4 Command Line Interface show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-32) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. sysid - Summary of system priority and MAC address for all channel groups.
Link Aggregation Commands 4 Console#show lacp 1 internal Port channel : 1 ------------------------------------------------------------------------Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation, long timeout,
4 Command Line Interface Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------------Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0 Oper Key : 4 Admin State : defaulted, distributin
Link Aggregation Commands 4 Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-12-CF-8F-2C-A7 2 32768 00-12-CF-8F-2C-A7 3 32768 00-12-CF-8F-2C-A7 4 32768 00-12-CF-8F-2C-A7 Console# Table 4-54 Field Description Channel group System Priority show lacp sysid - display description A link aggregation group configured on this switch. * System MAC Address* LACP system priority for this channel group.
4 Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-55 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-178 show port monitor Shows the configuration for a mirror port PE 4-179 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
Mirror Port Commands 4 Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-26/50) Default Setting Shows all sessions.
4 Command Line Interface RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
4 RSPAN Mirroring Commands has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports. • IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. RSPAN uplink ports cannot be configured to use IEEE 802.
4 Command Line Interface • The source port and destination port cannot be configured on the same switch. Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
RSPAN Mirroring Commands 4 Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
4 Command Line Interface switchport allowed vlan command (page 4-226). Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note that the show vlan command (page 4-228) will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers.
Rate Limit Commands 4 Command Mode Privileged Exec Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 1000 Console(config-if)# Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the switch ports. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
4 Power over Ethernet Commands Default Setting 375 watts Command Mode Global Configuration Command Usage • Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. • If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
4 Command Line Interface Example Console(config)#power inline compatible Console(config)#end Console#show power inline status Unit: 1 Compatible mode : Enabled Max Used Interface Admin Oper Power Power --------- -------- ---- -------- -------Eth 1/ 1 Enabled Off 15400 mW 0 mW Eth 1/ 2 Enabled Off 15400 mW 0 mW Eth 1/ 3 Enabled Off 15400 mW 0 mW Eth 1/ 4 Enabled Off 15400 mW 0 mW Eth 1/ 5 Enabled Off 15400 mW 0 mW . . .
Power over Ethernet Commands 4 power inline maximum allocation This command limits the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation [milliwatts] no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 0 - 31000 milliwatts).
4 Command Line Interface Command Usage • If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to control the supplied power. For example: - A device connected to a low-priority port that causes the switch to exceed its budget is not supplied power.
4 Power over Ethernet Commands show power inline status This command displays the current power status for all ports or for specific ports. Syntax show power inline status [interface] interface ethernet • unit - Stack unit. (Range: 1) • port - Port number.
4 Command Line Interface show power mainpower Use this command to display the current power status for the switch. Command Mode Privileged Exec Example Console#show power mainpower Unit 1 Mainpower Status Maximum Available Power : 375 watts System Operation Status : on Mainpower Consumption : 0 watts Software Version : Version 3.
4 Power over Ethernet Commands mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id • mac-address - MAC address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database.
4 Power over Ethernet Commands means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191.
4 Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
4 Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
4 Command Line Interface Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
4 Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
4 Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Spanning Tree Commands 4 Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
4 Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
4 Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
4 Command Line Interface Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands 4 revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 4-204) and revision number are used to designate a unique MST region. A bridge (i.e.
4 Command Line Interface bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface.
Spanning Tree Commands 4 Table 4-64 Recommended STA Path Cost Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet Half Duplex Full Duplex Trunk 100 95 90 2,000,000 1,999,999 1,000,000 Fast Ethernet Half Duplex Full Duplex Trunk 19 18 15 200,000 100,000 50,000 Gigabit Ethernet Full Duplex Trunk 4 3 10,000 5,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
4 Command Line Interface spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm.
Spanning Tree Commands 4 devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
4 Command Line Interface Related Commands spanning-tree edge-port (4-208) spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
4 Spanning Tree Commands spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • cost - Path cost for an interface.
4 Command Line Interface spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • priority - Priority for an interface.
Spanning Tree Commands 4 Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
4 Command Line Interface Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 0 VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.): 15 Max Hops: 20 Remaining Hops: 20 Designated Root: 32768.0.
VLAN Commands 4 show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree.
4 Command Line Interface GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
VLAN Commands 4 show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See "Displaying Basic VLAN Information" on page 3-168 and "Displaying Bridge Extension Capabilities" on page 3-15 for a description of the displayed items.
4 Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows both global and interface-specific configuration.
VLAN Commands 4 Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration. • Timer values are applied to GVRP for all the ports on all VLANs.
4 Command Line Interface Related Commands garp timer (4-218) Editing VLAN Groups Table 4-68 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete VLANs GC 4-220 vlan Configures a VLAN, including VID, name and state VC 4-221 vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
VLAN Commands 4 vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) • name - Keyword to be followed by the VLAN name. - vlan-name - ASCII string from 1 to 32 characters. • media ethernet - Ethernet media type. • state - Keyword to be followed by the VLAN state.
4 Command Line Interface Configuring VLAN Interfaces Table 4-69 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN GC 4-222 switchport mode Configures VLAN membership mode for an interface IC 4-223 switchport acceptable-frame-types Configures frame types to be accepted by an interface IC 4-224 switchport ingress-filtering Enables ingress filtering on an interface IC 4-224 switchport native vlan Configures th
VLAN Commands 4 switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk | private-vlan} no switchport mode • access - Specifies an access VLAN interface. The port transmits and receives untagged frames only. • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
4 Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
4 VLAN Commands • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). • If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA.
4 Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
VLAN Commands 4 switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. Do not enter leading zeros.
4 Command Line Interface Displaying VLAN Information Table 4-70 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-228 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-163 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-165 show vlan This command shows VLAN information.
VLAN Commands 4 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
4 Command Line Interface reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional.
VLAN Commands 4 • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. • When a tunnel uplink port receives a packet from the service provider, the outer service provider’s tag is stripped off, and the packet passed on to the VLAN indicated by the inner tag.
4 Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-165) show dot1q-tunnel This command displays information about QinQ tunnel ports.
VLAN Commands 4 Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Local traffic belonging to each client is isolated to the allocated downlink ports, and upstream traffic coming from the downlink ports can only be forwarded to, and from, uplink ports.
4 Command Line Interface Example Console(config)#pvlan Console(config)# pvlan up-link/down-link This command configures uplink/downlink ports for traffic-segmentation client sessions. Use the no form to restore a port to normal operating mode. Syntax pvlan [up-link interface-list down-link interface-list] no pvlan • up-link - Specifies an uplink interface. • down-link - Specifies a downlink interface. • interface-list – One or more uplink or downlink interfaces.
VLAN Commands 4 Example Console#show pvlan Private VLAN status: Enabled Up-link port: Ethernet 1/12 Down-link port: Ethernet 1/5 Ethernet 1/6 Ethernet 1/7 Ethernet 1/8 Console# Configuring Private VLANs Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups.
4 Command Line Interface To configure primary/community associated groups, follow these steps: 1. Use the private-vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups. 2. Use the private-vlan association command to map the community VLAN(s) to the primary VLAN. 3. Use the switchport mode private-vlan command to configure ports as promiscuous (i.e., having access to all ports in the primary VLAN) or host (i.e.
VLAN Commands 4 Example Console(config)#vlan database Console(config-vlan)#private-vlan 2 primary Console(config-vlan)#private-vlan 3 community Console(config)# private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN.
4 Command Line Interface switchport mode private-vlan Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. Syntax switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can subsequently be assigned to a community VLAN. • promiscuous – This port type can communicate with all other promiscuous ports in the same primary VLAN, as well as with all the ports in the associated secondary VLANs.
4 VLAN Commands Command Usage All ports assigned to a secondary (i.e., community) VLAN can pass traffic between group members, but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan host-association 3 Console(config-if)# switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping.
4 Command Line Interface Default Setting None Command Mode Privileged Executive Example Console#show vlan private-vlan Primary Secondary Type -------- ----------- ---------5 primary 5 6 community Console# Interfaces -----------------------------Eth1/ 3 Eth1/ 4 Eth1/ 5 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
4 VLAN Commands Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch. If lost in this manner, network access can be regained by removing the offending Protocol VLAN rule via the console. Alternately, the switch can be power-cycled, however all unsaved configuration changes will be lost. protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group.
4 Command Line Interface Default Setting No protocol groups are mapped for any interface. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-221), these interfaces will admit traffic of any protocol type into the associated VLAN. • A maximum of 20 protocol VLAN groups can be defined on the switch.
4 VLAN Commands Example This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group ProtocolGroup ID Frame Type Protocol Type ------------------ ------------- --------------1 ethernet 08 00 Console# show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit.
4 Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
4 Class of Service Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
4 Command Line Interface Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames).
4 Class of Service Commands Default Setting Weights 1, 2, 4, 8 are assigned to queues 0-3 respectively. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • WRR controls bandwidth sharing at the egress port by defining scheduling weights. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.
4 Command Line Interface Default Setting This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
4 Class of Service Commands show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Priority Commands (Layer 3 and 4) Table 4-79 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP/UDP class of service mapping GC 4-250 map ip port Maps TCP/UDP socket to a class of service IC 4-251 map ip precedence Enables IP precedence class of service mapping GC 4-251 map ip precedence Maps IP precedence value to a class of service IC 4-252 map ip dscp Enables IP DSCP class of service mapping GC 4-252 map ip dscp Maps
Class of Service Commands 4 map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.
4 Command Line Interface Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence • precedence-value - 3-bit precedence value.
Class of Service Commands 4 Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP DSCP, and default switchport priority. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table.
4 Command Line Interface Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command sets the IP DSCP priority for all interfaces.
Class of Service Commands 4 show map ip precedence This command shows the IP precedence priority map. Syntax show map ip precedence [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
4 Quality of Service Commands Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs.
4 5. 6. Command Line Interface Use the set command to modify the QoS value for matching traffic class, and use the policer command to monitor the average flow and burst rate, and drop any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2.
4 Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) • dscp - A DSCP value. (Range: 0-63) • ip-precedence - An IP Precedence value. (Range: 0-7) • vlan - A VLAN.
4 Command Line Interface rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map. (Range: 1-16 characters) Command Mode Class Map Configuration Policy Map Configuration Example Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# description This command specifies the description of a class map or policy map.
Quality of Service Commands 4 policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
4 Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
Quality of Service Commands 4 incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic.
4 Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name • input - Apply to the input traffic. • policy-map-name - Name of the policy map for this interface. (Range: 1-16 characters) Default Setting No policy map is attached to an interface.
Quality of Service Commands 4 Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map.
4 Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
4 Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
4 Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
Multicast Filtering Commands 4 • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier.
4 Command Line Interface Example The following shows how to enable immediate leave. Console(config)#interface vlan 1 Console(config-if)#ip igmp snooping immediate-leave Console(config-if)# show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See "Configuring IGMP Snooping and Query Parameters" on page 3-210 for a description of the displayed items.
4 Multicast Filtering Commands Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.
4 Command Line Interface Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 4-268). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default.
4 Multicast Filtering Commands ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
4 Command Line Interface Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-268) ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default.
Multicast Filtering Commands 4 Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 4-86 Command Static Multicast Routing Commands Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port GC 4-275 show ip igmp snooping mrouter Shows multicast router ports PE 4-276 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
4 Command Line Interface show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static.
Multicast Filtering Commands 4 IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
4 Command Line Interface • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example Console(config)#ip igmp filter Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Multicast Filtering Commands 4 • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile.
4 Command Line Interface Command Mode Interface Configuration Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. • A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
Multicast Filtering Commands 4 Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-group 10 Console(config-if)# ip igmp max-groups action This command sets the IGMP throttling action for an interface on the switch. Syntax ip igmp max-groups action {replace | deny} • replace - The new multicast group replaces an existing group. • deny - The new multicast group join report is dropped.
4 Command Line Interface Command Mode Privileged Exec Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number.
4 Multicast Filtering Commands show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces.
4 Command Line Interface Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
Multicast Filtering Commands 4 Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams.
4 Command Line Interface mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword. Use the no form to restore the default settings.
Multicast Filtering Commands 4 • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
4 Command Line Interface Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Multicast Filtering Commands Table 4-90 4 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. Immediate Leave Shows if immediate leave is enabled or disabled.
4 Command Line Interface Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Domain Name Service Commands 4 Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device. Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.
4 Command Line Interface Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-292) ip name-server (4-293) ip domain-lookup (4-294) ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e.
Domain Name Service Commands 4 Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.
4 Command Line Interface Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.
Domain Name Service Commands 4 Related Commands ip domain-name (4-291) ip name-server (4-293) show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.rd6 Console# show dns This command displays the configuration of the DNS service.
4 Command Line Interface show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE 0 4 Address 1 4 Address 2 4 Address 3 4 CNAME 4 4 CNAME Console# DOMAIN www.times.com a1116.x.akamai.net a1116.x.akamai.net graphics8.nytimes.com graphics478.nytimes.com.edgesui TTL 198 19 19 19 19 IP 199.239.136.200 61.213.189.120 61.213.189.
IP Interface Commands 4 IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
4 Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • If the DHCP/BOOTP server is slow to respond, you may need to use the ip dhcp restart command to re-start broadcasting service requests.
IP Interface Commands 4 Related Commands show ip redirects (4-300) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
4 Command Line Interface Related Commands show ip redirects (4-300) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-298) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • host - IP address or IP alias of the host.
IP Interface Commands 4 • Press to stop pinging. Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.
4 Command Line Interface 4-302
Appendix A: Software Specifications Software Features Authentication and General Security Measures Local, RADIUS, TACACS, Port (802.
A Software Specifications Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-B
Management Information Bases A DHCP Client (RFC 2131) DHCP Options (RFC 2132) HTTPS IGMP (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
A Software Specifications SNMP View Based ACM MIB (RFC 3415) TACACS+ Authentication Client MIB TCP MIB (RFC 2013) Trap (RFC 1215) UDP MIB (RFC 2013) A-4
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary DHCP Snooping A technique used to enhance network security by snooping on DHCP server messages to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Glossary IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks. The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value. IEEE 802.1s An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. (Now incorporated in IEEE 802.1D-2004) IEEE 802.
Glossary IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts. IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic.
Glossary Multiple Spanning Tree Protocol (MSTP) MSTP can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network.
Glossary Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Remote Switched Port Analyzer (RSPN) RSPAN can be used to mirror traffic from remote switches over a dedicated VLAN. Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.
Glossary Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. User Datagram Protocol (UDP) UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services.
Glossary Glossary-8
Index Numerics 802.1Q tunnel 3-178, 4-229 access 3-183, 4-230 configuration, guidelines 3-181 configuration, limitations 3-180 description 3-178 ethernet type 3-182, 4-231 interface configuration 3-182, 4-230–4-231 mode selection 3-183, 4-230 status, configuring 3-181, 4-230 TPID 3-182, 4-231 uplink 3-183, 4-230 802.1X port authentication 3-80, 4-112 port authentication accounting 3-66, 4-95 A AAA accounting 802.
Index D default gateway, configuration 3-16, 4-298 default priority, ingress port 3-189, 4-245 default settings, system 1-6 DHCP 3-18, 4-297 client 3-16, 4-297 dynamic configuration 2-5 DHCP snooping enabling 3-102, 4-132 global configuration 3-102, 4-132 information option 3-104, 4-136 information option policy 3-104, 4-137 information option, enabling 3-104, 4-136 policy selection 3-104, 4-137 specifying trusted interfaces 3-105, 4-134 verifying MAC addresses 3-102, 4-135 VLAN configuration 3-103, 4-133 D
Index IGMP filter profiles, configuration 3-219, 4-277 filter, parameters 3-219, 4-277 filtering & throttling, creating profile 3-218, 4-278 filtering & throttling, enabling 3-218, 4-277 filtering & throttling, interface configuration 3-221, 4-279 filtering & throttling, status 3-218, 4-277 filtering and throttling 3-218, 4-277 groups, displaying 3-216, 4-270 immediate leave, status 3-212, 4-269 Layer 2 3-209, 4-266 query 3-209, 3-210, 4-271 snooping 3-209, 4-267 snooping & query, parameters 3-210 snooping,
Index MSTP 3-158, 4-197 configuring 3-158, 4-202–4-213 global settings, configuring 3-147, 3-158, 4-196, 4-203–4-205 global settings, displaying 3-144, 4-213 interface settings, configuring 3-154, 3-163, 4-196 interface settings, displaying 3-161, 4-213 path cost 3-163, 4-211 multicast filtering 3-208, 4-266 multicast groups 3-216, 4-270 displaying 3-216, 4-270 static 3-216, 4-267, 4-268, 4-270 multicast services configuring 3-217, 4-267, 4-268 displaying 3-216, 4-270 multicast storm, threshold 4-161 multic
Index problems, troubleshooting B-1 profiles, IGMP filter 3-219, 4-278 promiscuous ports 4-235 protocol migration 3-156, 4-212 protocol VLANs 3-185, 4-240 configuring 3-186, 4-241 interface configuration 3-187, 4-241 system configuration 3-187, 4-241 public key 3-75, 4-103 PVID, port native VLAN 3-176, 4-225 PVLAN association 4-237 community ports 4-235 configuring 4-235 displaying 4-239 interface configuration 3-187, 4-238 primary VLAN 4-236 promiscuous ports 4-235 Q QinQ Tunneling See 802.
Index STA 3-142, 4-196 edge port 3-153, 3-156, 4-208 global settings, configuring 3-147, 4-197–4-202 global settings, displaying 3-144, 4-213 interface settings, configuring 3-154, 4-206–4-212 interface settings, displaying 3-151, 4-213 link type 3-153, 3-156, 4-210 MSTP path cost 3-163, 4-211 MSTP settings, configuring 3-163, 4-202–4-205 path cost 3-144, 3-153, 4-206 path cost method 3-148, 4-201 port priority 3-153, 4-208 protocol migration 3-156, 4-212 transmission limit 3-149, 4-202 standards, IEEE A-2
Index V W VLANs 3-164, 3-185, 3-189, 4-215, 4-228 802.
Index Index-8
SMC8126PL2-F 149100000023A R01
