TigerSwitch 10/100/1000 Gigabit Ethernet Switch ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ 12 1000BASE-X SFP ports 4 RJ45 ports shared with 4 SFP transceiver slots Non-blocking switching architecture Support for a redundant power unit Spanning Tree Protocol Up to six LACP or static 4-port trunks Layer 2/3/4 CoS support through four priority queues Full support for VLANs with GVRP IGMP multicast filtering and snooping Support for jumbo frames up to 9 KB Manageable via console, Web, SNMP/RMON Management Guide SMC8612XL3
TigerSwitch 10/100/1000 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000 October 2003 Pub.
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice. Copyright © 2003 by SMC Networks, Inc. 38 Tesla Irvine, CA 92618 All rights reserved.
LIMITED WARRANTY Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
LIMITED WARRANTY LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. SMC SHALL NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY CUSTOMER’S OR ANY THIRD PERSON’S MISUSE, NEGLECT, IMPROPER INSTALLATION OR TESTING, UNAUTHORIZED ATTEMPTS TO REPAIR, OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING, OR OTHER HAZARD.
CONTENTS Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Description of Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Chapter 2: Initial Configuration . . . . . . . . . . . . . . . . . . . . .
CONTENTS Using DHCP/BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading System Software from a Server . . . . . . . . . . Saving or Restoring Configuration Settings . . . . . . . . . . . . . . . Downloading Configuration Settings from a Server . . . . . Configuring Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Log Configuration . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS Configuring a MAC ACL . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55 Configuring ACL Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57 Specifying the Mask Type . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57 Configuring an IP ACL Mask . . . . . . . . . . . . . . . . . . . . . . . 3-58 Configuring a MAC ACL Mask . . . . . . . . . . . . . . . . . . . . . 3-60 Binding a Port to an Access Control List . . . . . . . . . . . . . . . . . 3-61 Port Configuration .
CONTENTS Enabling or Disabling GVRP (Global Setting) . . . . . . . . . . . Displaying Basic VLAN Information . . . . . . . . . . . . . . . . . . . Displaying Current VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Static Members to VLANs (VLAN Index) . . . . . . . . Adding Static Members to VLANs (Port Index) . . . . . . . . . . Configuring VLAN Behavior for Interfaces . . . . . . . . . . . . . .
CONTENTS Configuring General DNS Server Parameters . . . . . . . . . . . . 3-150 Configuring Static DNS Host to Address Entries . . . . . . . . . 3-152 Displaying the DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-154 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . 3-155 Configuring DHCP Relay Service . . . . . . . . . . . . . . . . . . . . . . 3-155 Configuring the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS Displaying the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . 3-195 Configuring the Routing Information Protocol . . . . . . . . . . . 3-196 Configuring General Protocol Settings . . . . . . . . . . . . . . 3-197 Specifying Network Interfaces for RIP . . . . . . . . . . . . . . 3-199 Configuring Network Interfaces for RIP . . . . . . . . . . . . . 3-200 Displaying RIP Information and Statistics . . . . . . . . . . . 3-203 Configuring the Open Shortest Path First Protocol . . . .
CONTENTS Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Keywords and Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Minimum Abbreviation . . . . .
CONTENTS exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Designation Commands . . . . . . . . . . . . . . . . . . . . . . . . prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hostname . . . . . . . . . . . . . . . . . . . . .
CONTENTS SMTP Alert Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46 logging sendmail host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47 logging sendmail level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47 logging sendmail source-email . . . . . . . . . . . . . . . . . . . . . . 4-48 logging sendmail destination-email . . . . . . . . . . . . . . . . . . 4-48 logging sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS radius-server retransmit . . . . . . . . . . . . . . . . . . . . . . . . . . . radius-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TACACS+ Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tacacs-server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS MAC ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 permit, deny (MAC ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-98 show mac access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-99 access-list mac mask-precedence . . . . . . . . . . . . . . . . . . . 4-100 mask (MAC ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS dns-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . next-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . netbios-name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . netbios-node-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rate Limit Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Aggregation Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . channel-group . . . . . . . . . . . . . . . . . .
CONTENTS spanning-tree portfast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . spanning-tree link-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . spanning-tree mst cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . spanning-tree mst port-priority . . . . . . . . . . . . . . . . . . . . . . . . spanning-tree protocol-migration . . . . . . . . . . . . . . . . . . . . . . show spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS Priority Commands (Layer 2) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-198 switchport priority default . . . . . . . . . . . . . . . . . . . . . . . . 4-198 queue mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-199 queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-200 queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-201 show queue mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS ip igmp query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip igmp max-resp-interval . . . . . . . . . . . . . . . . . . . . . . . . . ip igmp last-memb-query-interval . . . . . . . . . . . . . . . . . . ip igmp version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip igmp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . clear ip igmp group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip igmp groups . . . . . . . . . .
CONTENTS ip rip authentication mode . . . . . . . . . . . . . . . . . . . . . . . . show rip globals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Open Shortest Path First (OSPF) . . . . . . . . . . . . . . . . . . . . . . router ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . router-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS General Multicast Routing Commands . . . . . . . . . . . . . . . . . ip multicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DVMRP Multicast Routing Commands . . . . . . . . . . . . . . . . . router dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . probe-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . nbr-timeout . . . . . . . . . . . . . .
CONTENTS show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp router counters . . . . . . . . . . . . . . . . . . . . . . . . show vrrp interface counters . . . . . . . . . . . . . . . . . . . . . . clear vrrp router counters . . . . . . . . . . . . . . . . . . . . . . . . . clear vrrp interface counters . . . . . . . . . . . . . . . . . . . . . . .
CONTENTS xxvi
CHAPTER 1 INTRODUCTION The TigerSwitch 10/100/1000 provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
INTRODUCTION Feature Description Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 6 trunks using either static or dynamic trunking (LACP) Broadcast Storm Control Supported Address Table Up to 16K MAC addresses in the forwarding table, 1024 static MAC addresses; Up to 4K IP address entries in the ARP cache, 128 static IP routes IEEE 802.
DESCRIPTION OF SOFTWARE FEATURES Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
INTRODUCTION by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. DHCP Server and DHCP Relay – A DHCP server is provided to assign IP addresses to host devices. Since DHCP uses a broadcast mechanism, a DHCP server and its client must physically reside on the same subnet.
DESCRIPTION OF SOFTWARE FEATURES redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks. Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
INTRODUCTION paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection. Rapid Spanning Tree Protocol (RSTP, IEEE 802.
DESCRIPTION OF SOFTWARE FEATURES • except where a connection is explicitly defined via the switch’s routing service. Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.
INTRODUCTION OSPF – This approach uses a link state routing protocol to generate a shortest-path tree, then builds up its routing table based on this tree. OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously, converging on the best route more quickly than RIP.
DESCRIPTION OF SOFTWARE FEATURES Multicast Routing – Routing for multicast packets is supported by the Distance Vector Multicast Routing Protocol (DVMRP) and Protocol-Independent Multicasting - Dense Mode (PIM-DM). These protocols work in conjunction with IGMP to filter and route multicast traffic. DVMRP is a more comprehensive implementation that maintains its own routing table, but is gradually being replacing by most network managers with PIM, Dense Mode and Sparse Mode.
INTRODUCTION System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-27). The following table lists some of the basic system defaults.
SYSTEM DEFAULTS Function Parameter Default SNMP Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled IP Filtering Port Configuration Admin Status Disabled Enabled Auto-negotiation Enabled Flow Control Disabled Port Capability 1000BASE-T – 10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled 1000BASE-SX/LX
INTRODUCTION Function Parameter Default Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames GVRP (global) Disabled GVRP (port interface) Disabled Ingress Port Priority 0 Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Priority: 2 0 1 3 4 5 6 7 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings Management.
SYSTEM DEFAULTS Function Parameter Default Router Redundancy HSRP Disabled VRRP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled Multicast Routing System Log IGMP (Layer 3) Disabled DVMRP Disabled PIM-DM Disabled Status Enabled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Disabled SNTP Disabled Clock Synchronization 1-13
INTRODUCTION 1-14
CHAPTER 2 INITIAL CONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is unassigned by default. To change this address, see “Setting an IP Address” on page 2-7.
INITIAL CONFIGURATION The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: 2-2 • Set user names and passwords for up to 16 users • Set an IP interface for any VLAN • Configure SNMP parameters • Enable/disable any port • Set the speed/duplex mode for any port • Configure the bandwidth of any port by limiting input or output rates • Configure up to 255 IEEE 802.
CONNECTING TO THE SWITCH Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.
INITIAL CONFIGURATION Windows 2000 service packs. 2. Refer to “Line Commands” on page 4-15 for a complete description of console configuration options. 3. Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see “Using the Command Line Interface” on page 4-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 4-13.
BASIC CONFIGURATION Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is unassigned by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-7. Notes: 1. This switch supports four concurrent Telnet/SSH sessions. 2.
INITIAL CONFIGURATION those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level. Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1.
BASIC CONFIGURATION 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with theCLI session with the SMC8612XL3 is opened. To end the CLI session, enter [Exit].
INITIAL CONFIGURATION • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press . 3.
BASIC CONFIGURATION If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
INITIAL CONFIGURATION 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart client Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified.
BASIC CONFIGURATION The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. Note: If you do not intend to utilize SNMP, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access to the switch is disabled.
INITIAL CONFIGURATION 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server host host-address community-string,” where “host-address” is the IP address for the trap receiver and “community-string” is the string associated with that host. Press . 2. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server enable traps command. Type “snmp-server enable traps type,” where “type” is either authentication or link-up-down.
MANAGING SYSTEM FILES Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: • Configuration — This file stores system configuration information and is created when configuration settings are saved.
INITIAL CONFIGURATION Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
CHAPTER 3 CONFIGURING THE SWITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CONFIGURING THE SWITCH on the third failed attempt the current connection is terminated. 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3.
NAVIGATING THE WEB BROWSER INTERFACE Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
CONFIGURING THE SWITCH “Apply” or “Apply Changes” button to confirm the new setting. The following table summarizes the web page configuration buttons. Button Action Revert Cancels specified values and restores current values prior to pressing “Apply” or “Apply Changes.” Refresh Immediately updates values for the current page. Apply Sets specified values to the system. Apply Changes Sets specified values to the system. Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.
NAVIGATING THE WEB BROWSER INTERFACE The following table briefly describes the selections available from this program.
CONFIGURING THE SWITCH Menu Description SSH Page 3-50 Settings Configures Secure Shell server settings 3-55 Host-Key Settings Generates the host key pair (public and private) 3-53 Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 3-56 802.
NAVIGATING THE WEB BROWSER INTERFACE Menu Port Internal Information Description Page Displays settings and operational state for the local side 3-106 Port Neighbors Information Displays settings and operational state for the remote 3-108 side Port Broadcast Control Sets the broadcast storm threshold for each port 3-111 Mirror Port Configuration Sets the source and target ports for mirroring 3-113 Rate Limit 3-115 Input Port Configuration Sets the input rate limit for each port 3-115 Input
CONFIGURING THE SWITCH Menu Description Page Trunk Information Displays trunk settings for a specified MST instance 3-146 Port Configuration Configures port settings for a specified MST instance 3-148 Trunk Configuration Configures trunk settings for a specified MST instance VLAN 3-148 3-150 802.
NAVIGATING THE WEB BROWSER INTERFACE Menu Description Page Queue Mode Sets queue mode to strict priority or Weighted Round-Robin 3-176 Queue Scheduling Configures Weighted Round Robin queueing 3-176 IP Precedence/ DSCP Priority Status Globally selects IP Precedence or DSCP Priority, or disables both.
CONFIGURING THE SWITCH Menu Description DNS Page 3-206 General Configuration Enables DNS; configures domain name and domain list; and specifies IP address of name servers for dynamic lookup 3-206 Static Host Table Configures static entries for domain name to address mapping 3-209 Cache Displays cache entries discovered by designated name 3-212 servers IP 3-246 General 3-250 Global Settings Enables or disables routing, specifies the default gateway 3-250 Routing Interface Configures the I
NAVIGATING THE WEB BROWSER INTERFACE Menu Description Page ICMP Shows statistics for ICMP traffic, including the amount of traffic, protocol errors, and the number of echoes, timestamps, and address masks 3-265 UDP Shows statistics for UDP, including the amount of traffic and errors 3-267 TCP Shows statistics for TCP, including the amount of traffic and TCP connection activity 3-268 Routing 3-247 Static Routes Configures and display static routing entries 3-269 Routing Table Shows all rout
CONFIGURING THE SWITCH Menu Description Page Interface Settings Configures RIP parameters for each interface, including send and receive versions, message loopback prevention, and authentication 3-277 Statistics Displays general information on update time, route changes and number of queries, as well as a list of statistics for known interfaces and neighbors 3-281 OSPF 3-285 General Configuration Enables or disables OSPF; also configures the Router 3-287 ID and various other global settings Are
NAVIGATING THE WEB BROWSER INTERFACE Menu Description DVMRP Page 3-323 General Settings Configure global settings for prune and graft messages, and the exchange of routing information 3-324 Interface Settings Enables/disables DVMRP per interface and sets the route metric 3-329 Neighbor Information Displays neighboring DVMRP routers 3-331 Routing Table Displays DVMRP routing information 3-333 General Settings Enables or disables PIM-DM globally for the switch 3-335 Interface Settings Enab
CONFIGURING THE SWITCH Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location. • Contact – Administrator responsible for the system. • System Up Time – Length of time the management agent has been up.
BASIC CONFIGURATION 3-15
CONFIGURING THE SWITCH CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 53-34 Console(config)#snmp-server location WC 93-149 Console(config)#snmp-server contact Ted3-148 Console(config)#exit Console#show system3-82 System description: SMC Networks SMC8612XL3 System OID string: 1.3.6.1.4.1.202.20.33 System information System Up time: 0 days, 14 hours, 38 minutes, and 0.
BASIC CONFIGURATION supply. • Redundant Power Status* – Displays the status of the redundant power supply. * CLI only. Management Software • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master (i.e., operating stand-alone). Expansion Slots • Expansion Slot – Indicates any installed module type.
CONFIGURING THE SWITCH CLI – Use the following command to display version information. Console#show version Unit1 Serial number Hardware version Number of ports Main power status Redundant power status Agent (master) Unit ID Loader version Boot ROM version Operation code version Console# : A322043872 : R01 :12 :up :down : : : : 1 2.0.2.3 2.0.2.1 2.2.3.
BASIC CONFIGURATION • Local VLAN Capable – This switch supports multiple local bridges; i.e., multiple spanning trees. (Refer to “Configuring Multiple Spanning Trees” on page 3-101.) • GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering. Web – Click System, Bridge Extension.
CONFIGURING THE SWITCH Setting the Switch’s IP Address This section describes how to configure an initial IP interface for management access over the network. The IP address for this switch is unassigned by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your network.
BASIC CONFIGURATION as long as that VLAN has been assigned an IP address. • IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.
CONFIGURING THE SWITCH Click IP, Global Setting. If this switch and management stations exist on other network segments, then specify the default gateway, and click Apply. CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.28.150 255.255.252.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.28.
BASIC CONFIGURATION BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose your management connection, use a console connection and enter “show ip interface” to determine the new switch address. CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart client” command.
CONFIGURING THE SWITCH Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart client3-156 Managing Firmware You can upload/download firmware to or from a TFTP server.
BASIC CONFIGURATION to overwrite or specify a new file name, then click Transfer from Server. To start the new firmware, reboot the system via the System/Reset menu. If you download to a new destination file, then select the file from the drop-down box for the operation code used at startup, and click Apply Changes. To start the new firmware, reboot the system via the System/ Reset menu.
CONFIGURING THE SWITCH CLI – Enter the IP address of the TFTP server, select “config” or “opcode” file type, then enter the source and destination file names, set the new file to start up the system, and then restart the switch. Console#copy tftp file3-85 TFTP server ip address: 10.1.0.19 Choose file type: 1. config: 2. opcode: <1-2>: 2 Source file name: M100000.bix Destination file name: V1.0 \Write to FLASH Programming. -Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1.
BASIC CONFIGURATION file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, Configuration. Enter the IP address of the TFTP server, enter the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Transfer from Server. If you download to a new file name, then select the new file from the drop-down box for Startup Configuration File, and press Apply Changes.
CONFIGURING THE SWITCH If you download the startup configuration file under a new file name, you can set this file as the startup file at a later time, and then restart the switch.
BASIC CONFIGURATION flash. (Range: 0-7, Default: 3) Level Argument Level Description debugging 7 Debugging messages informational 6 Informational messages only notifications 5 Normal but significant condition, such as cold start warnings 4 Warning conditions (e.g., return false, unexpected return) errors 3 Error conditions (e.g., invalid input, default used) critical 2 Critical conditions (e.g.
CONFIGURING THE SWITCH CLI – Specify the hostname, location and contact information. Console(config)#logging on3-58 Console(config)#logging history ram 03-59 Console(config)# Console#show logging flash3-63 Syslog logging: Disable History logging in FLASH: level errors Console# Remote Log Configuration The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations.
BASIC CONFIGURATION • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add IP Host. To delete an IP address, click the entry in the Host IP List, and then click Remove Host IP.
CONFIGURING THE SWITCH set the logging trap. Console(config)#logging host 10.1.0.93-60 Console(config)#logging facility 233-61 Console(config)#logging trap 43-62 Console(config)# Console#show logging trap3-63 Syslog logging: Enable REMOTELOG status: enable REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 10.1.0.9 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.0 REMOTELOG server ip address: 0.0.0.
BASIC CONFIGURATION error . Console#show logging flash3-63 Syslog logging: Enable History logging in FLASH: level errors [0] 0:0:5 1/1/1 "PRI_MGR_InitDefault function fails." level: 3, module: 13, function: 0, and event no.: 0 Console#show logging ram3-63 Syslog logging: Enable History logging in RAM: level debugging [0] 0:0:5 1/1/1 PRI_MGR_InitDefault function fails." level: 3, module: 13, function: 0, and event no.: 0 Console# Resetting the System Web – Click System, Reset.
CONFIGURING THE SWITCH addresses. The switch will attempt to poll each server in the configured sequence. Broadcast – The switch sets its clock from a time server in the same subnet that broadcasts time updates. If there is more than one SNTP server, the switch accepts the first broadcast it detects and ignores broadcasts from other servers. Configuring SNTP You can configure the switch to send time synchronization requests to specific time servers (i.e.
BASIC CONFIGURATION Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. CLI – This example configures the switch to operate as an SNTP broadcast client. Console(config)#sntp Console(config)#sntp Console(config)#sntp Console(config)#sntp Console(config)# client3-71 poll 163-73 server 10.1.0.19 137.82.140.80 128.250.36.
CONFIGURING THE SWITCH Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply. CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Dhaka hours 6 minute 0 after-UTC3-75 Console# Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network.
SIMPLE NETWORK MANAGEMENT PROTOCOL Setting Community Access Strings You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes • SNMP Community Capability – Indicates that the switch supports up to five community strings.
CONFIGURING THE SWITCH CLI – The following example adds the string “spiderman” with read/write access.
SIMPLE NETWORK MANAGEMENT PROTOCOL Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
CONFIGURING THE SWITCH CLI – This example adds a trap manager and enables both authentication and link-up, link-down traps. Console(config)#snmp-server host 10.1.28.
SIMPLE NETWORK MANAGEMENT PROTOCOL Filtering Addresses for SNMP Client Access The switch allows you to create a list of up to 16 IP addresses or IP address groups that are allowed access to the switch via SNMP management software (also see page 3-69). Command Usage • To specify the clients allowed SNMP access, enter an IP address along with a subnet mask to identify a specific host or a range of valid addresses. For example: - IP address 192.168.1.1 and mask 255.255.255.
CONFIGURING THE SWITCH Web – Click SNMP, IP Filtering. To add a client, enter the new address, the subnet mask for a node or an address range, and then click “Add IP Filtering Entry.” CLI – This example allows SNMP access for a specific client. Console(config)#snmp ip filter 10.1.2.3 255.255.255.
USER AUTHENTICATION • 802.1x – Use IEEE 802.1x port authentication to control access to specific ports. Configuring the Logon Password The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place. The default guest name is “guest” with the password “guest.
CONFIGURING THE SWITCH CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password. Console(config)#username bob access-level 153-35 Console(config)#username bob password 0 smith Console(config)# Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords.
USER AUTHENTICATION sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet. • RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.
CONFIGURING THE SWITCH • - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters) - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request.
USER AUTHENTICATION CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius3-93 Console(config)#radius-server host 192.168.1.253-95 Console(config)#radius-server port 1813-95 Console(config)#radius-server key green3-96 Console(config)#radius-server retransmit 53-96 Console(config)#radius-server timeout 103-97 Console#show radius-server3-97 Server IP address: 192.168.1.
CONFIGURING THE SWITCH Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
USER AUTHENTICATION Secure-site Certificate” on page 3-49. Command Attributes • HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. CLI – This example enables the HTTP secure server and modifies the port number.
CONFIGURING THE SWITCH Caution:For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.
USER AUTHENTICATION Note: The switch supports both SSH Version 1.5 and 2.0. Command Usage The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-44).
CONFIGURING THE SWITCH shown in the following example: 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199696317 81366277414168985132049117204830339254324101637997592371449011938006090253948 40848271781943722884025331159521348610229029789827213532671316294325328189150 45306393916643 steve@192.168.1.19 4.
USER AUTHENTICATION Telnet sessions and SSH sessions. Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the preceeding section (Command Usage). Field Attributes • Public-Key of Host-Key – The public key for the host.
CONFIGURING THE SWITCH Web – Click Security, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
USER AUTHENTICATION Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Enabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
CONFIGURING THE SWITCH CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server3-48 Console(config)#ip ssh timeout 1203-49 Console(config)#ip ssh authentication-retries 33-50 Console(config)#ip ssh server-key size 7683-51 Console(config)#end Console#show ip ssh3-54 SSH Enabled - version 2.
USER AUTHENTICATION intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message. To use port security, first allow the switch to dynamically learn the pair for frames received on a port for an initial training period, and then enable port security to stop address learning. Be sure you enable the learning function long enough to ensure that all valid VLAN members have been registered on the selected port.
CONFIGURING THE SWITCH • • • Shutdown: Disable the port. Trap and Shutdown: Send an SNMP trap message and disable the port. Status – Enables or disables port security on the port. (Default: Disabled) Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 20) Trunk – Trunk number if port is a member (page 3-97 and 3-99). Web – Click Security, Port Security.
USER AUTHENTICATION CLI – This example sets the command mode to Port 5, sets the port security action to send a trap and disable the port, and specifies a maximum address count.
CONFIGURING THE SWITCH Configuring 802.1x Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
USER AUTHENTICATION certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked. The operation of dot1x on the switch requires the following: • The switch must have an IP address assigned. • RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified.
CONFIGURING THE SWITCH • dot1x Max Request Count – The maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. • Timeout for Quiet Period – Indicates the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. • Timeout for Re-authentication Period – Indicates the time period after which a connected client must be re-authenticated.
USER AUTHENTICATION CLI – This example shows the default protocol settings for dot1x. For a description of the additional entries displayed in the CLI, see “show dot1x” on page 3-110. Console#show dot1x3-110 Global 802.1X Parameters reauth-enabled: yes reauth-period: 300 quiet-period: 350 tx-period: 300 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2 802.1X Port Port Name 1/1 1/2 . . .
CONFIGURING THE SWITCH Configuring 802.1x Global Settings The dot1x protocol includes global parameters that control the client authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. The configuration options for these parameters are described in this section.
USER AUTHENTICATION Web – Select Security, 802.1x, Configuration. Enable dot1x globally for the switch, modify any of the parameters required, and then click Apply. CLI – This enables re-authentication and sets all of the global parameters for dot1x.
CONFIGURING THE SWITCH Default: 5) • Mode – Sets the authentication mode to one of the following options: • - Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access. - Force-Authorized – Forces the port to grant access to all clients, either dot1x-aware or otherwise. - Force-Unauthorized – Forces the port to deny access to all clients, either dot1x-aware or otherwise.
USER AUTHENTICATION CLI – This example sets the authentication mode to enable 802.1x on port 2, and allows up to ten clients to connect to this port. Console(config)#interface ethernet 1/23-1 Console(config-if)#dot1x port-control auto3-106 Console(config-if)#dot1x operation-mode multi-host max-count 103-107 Console(config-if)# Displaying 802.1x Statistics This switch can display statistics for dot1x protocol exchanges for any port.
CONFIGURING THE SWITCH Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator.
USER AUTHENTICATION Web – Select Security, 802.1x, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. CLI – This example displays the dot1x statistics for port 4.
CONFIGURING THE SWITCH Command Usage • • • • • • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
USER AUTHENTICATION Web – Click Security, IP Filter. Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry. CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.193-38 Console(config)#management telnet-client 192.168.1.25 192.168.1.
CONFIGURING THE SWITCH Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
ACCESS CONTROL LISTS 1.User-defined rules in the Egress MAC ACL for egress ports. 2.User-defined rules in the Egress IP ACL for egress ports. 3.User-defined rules in the Ingress MAC ACL for ingress ports. 4.User-defined rules in the Ingress IP ACL for ingress ports. 5.Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. 6.Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports. 7.If no explicit rule is matched, the implicit default is permit all.
CONFIGURING THE SWITCH CLI – This example creates a standard IP ACL named bill. Console(config)#access-list ip standard bill3-116 Console(config-std-acl)# Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • IP – Specifies the source IP address.
ACCESS CONTROL LISTS select “IP,” enter a subnet address and the mask for an address range. Then click Add. CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.213-117 Console(config-std-acl)#permit 168.92.16.0 255.255.240.
CONFIGURING THE SWITCH (See the description for SubMask on page 3-74.) • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-7) - TOS – Type of Service level. (Range: 0-15) - DSCP – DSCP priority level. (Range: 0-64) - • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255).
ACCESS CONTROL LISTS Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. CLI – This example adds three rules: (1)Accept any incoming packets if the source address is in subnet 10.7.1.x.
CONFIGURING THE SWITCH (3)Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any3-118 Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any dport 80 Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any tcp control-code 2 2 Console(config-std-acl)# Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules.
ACCESS CONTROL LISTS - Untagged-eth2 – Untagged Ethernet II packets. Untagged-802.3 – Untagged Ethernet 802.3 packets. Tagged-eth2 – Tagged Ethernet II packets. Tagged-802.3 – Tagged Ethernet 802.3 packets. Command Usage • Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets.
CONFIGURING THE SWITCH Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
ACCESS CONTROL LISTS Configuring ACL Masks You can specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be bound exclusively to one of the basic ACL types (i.e.
CONFIGURING THE SWITCH Web – Click Security, ACL, ACL Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet. Console(config)#access-list ip mask-precedence in3-121 Console(config-ip-mask-acl)#mask host any3-122 Console(config-ip-mask-acl)#mask 255.
ACCESS CONTROL LISTS match this bitmask. (See the description for SubMask on page 3-74.) • Protocol Bitmask – Check the protocol field. • Service Type – Check the rule for the specified priority type. (Options: Precedence, TOS, DSCP; Default: TOS) • Src/Dst Port Bitmask – Protocol port of rule must match this bitmask. (Range: 0-65535) • Control Bitmask – Control flags of rule must match this bitmask.
CONFIGURING THE SWITCH Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add.
ACCESS CONTROL LISTS 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any” entry. Console(config)#access-list ip standard A23-116 Console(config-std-acl)#permit 10.1.1.0 255.255.255.03-117 Console(config-std-acl)#deny 10.1.1.1 255.255.255.255 Console(config-std-acl)#exit Console(config)#access-list ip mask-precedence in3-121 Console(config-ip-mask-acl)#mask host any3-122 Console(config-ip-mask-acl)#mask 255.255.255.
CONFIGURING THE SWITCH specific VLAN ID(s) or Ethernet type(s). Or check for rules where a packet format was specified. Then click Add.
ACCESS CONTROL LISTS CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
CONFIGURING THE SWITCH • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. Command Attributes • Port – Fixed port or SFP module. (Range: 1-12) • IP – Specifies the IP ACL to bind to a port. • MAC – Specifies the MAC ACL to bind to a port. • IN – ACL for ingress packets. • OUT – ACL for egress packets.
PORT CONFIGURATION CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.
CONFIGURING THE SWITCH • Trunk Member1 – Shows if port is a trunk member. • Creation2 – Shows if a trunk is manually configured or dynamically set via LACP. 1: Port Information only. 2: Trunk Information only Web – Click Port, Port Information or Trunk Information. Field Attributes (CLI) Basic information: • • Port type – Indicates the port type. (1000BASE-T, 1000BASE-SX, 1000BASE-LX) MAC address – The physical layer address for this port.
PORT CONFIGURATION • Capabilities – Specifies the capabilities to be advertised for a port during auto-negotiation. (To access this item on the web, see “Configuring Interface Connections” on page 3-48.) The following capabilities are supported.
CONFIGURING THE SWITCH mode. • Flow control type – Indicates the type of flow control currently in use. (IEEE 802.3x, Back-Pressure or none) CLI – This example shows the connection status for Port 5.
PORT CONFIGURATION Configuring Interface Connections You can use the Port Configuration or Trunk Configuration page to enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g.
CONFIGURING THE SWITCH stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation. (Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
PORT CONFIGURATION Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/133-1 Console(config-if)#description RD SW#133-2 Console(config-if)#shutdown3-9 . Console(config-if)#no shutdown Console(config-if)#no negotiation3-4 Console(config-if)#speed-duplex 100half3-3 Console(config-if)#flowcontrol3-7 .
CONFIGURING THE SWITCH Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to six trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
PORT CONFIGURATION • When configuring static trunks on switches of different types, they must be compatible with the Cisco EtherChannel standard. • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN.
CONFIGURING THE SWITCH and click Add. After you have completed adding ports to the member list, click Apply.
PORT CONFIGURATION CLI – This example creates trunk 2 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk.
CONFIGURING THE SWITCH assigned the next available trunk ID. • If more than four ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
PORT CONFIGURATION CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/13-1 Console(config-if)#lacp3-22 Console(config-if)#exit . . .
CONFIGURING THE SWITCH Note – If the port channel admin key (lacp admin key, page 3-26) is not set (through the CLI) when a channel group is formed (i.e., it has a null value of 0), this key is set to the same value as the port admin key used by the interfaces that joined the group (lacp admin key, as described in this section and on page 3-25). Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch. • Port – Port number.
PORT CONFIGURATION Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
CONFIGURING THE SWITCH CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/13-1 Console(config-if)#lacp actor system-priority 33-24 Console(config-if)#lacp actor admin-key 1203-25 Console(config-if)#lacp actor port-priority 1283-27 Console(config-if)#exit . . .
PORT CONFIGURATION Parameter Description LACPDUs Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype. Web – Click Port, LACP, Port Counters Information.
CONFIGURING THE SWITCH Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information.
PORT CONFIGURATION Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
CONFIGURING THE SWITCH CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
PORT CONFIGURATION Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner. Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner.
CONFIGURING THE SWITCH CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
PORT CONFIGURATION Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for each port.
CONFIGURING THE SWITCH CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
PORT CONFIGURATION Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Single target port Command Usage • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
CONFIGURING THE SWITCH CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port. Note that default mirroring under the CLI is for both received and transmitted packets.
PORT CONFIGURATION Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
CONFIGURING THE SWITCH Web - Click Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply. CLI - This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps.
PORT CONFIGURATION since the last system reboot, and are shown as counts per second. Statistics are refreshed every 60 seconds by default. Note: RMON groups 2, 3 and 9 can only be accessed using SNMP management software such as HP OpenView. Statistical Values Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol.
CONFIGURING THE SWITCH Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent.
PORT CONFIGURATION Parameter Description Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame. SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size.
CONFIGURING THE SWITCH Parameter Description Oversize Frames The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error.
PORT CONFIGURATION 3-121
CONFIGURING THE SWITCH CLI – This example shows statistics for port 12.
ADDRESS TABLE SETTINGS Command Attributes * • Static Address Counts* – The number of manually configured addresses. • Current Static Address Table – Lists all the static addresses. • Interface – Port or trunk associated with the device assigned a static address. • MAC Address – Physical address of a device mapped to this interface. • VLAN – ID of configured VLAN (1-4094). Web Only Web – Click Address Table, Static Addresses.
CONFIGURING THE SWITCH CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset3-34 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
ADDRESS TABLE SETTINGS CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/13-35 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------Eth 1/ 1 00-E0-29-94-34-DE 1 Permanent Eth 1/ 1 00-20-9C-23-CD-60 2 Learned Console# Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Time – The time after which a learned entry is discarded.
CONFIGURING THE SWITCH CLI – This example sets the aging time to 400 seconds. Console(config)#mac-address-table aging-time 4003-36 Console(config)# Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
SPANNING TREE ALGORITHM CONFIGURATION therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
CONFIGURING THE SWITCH 3-128 • Max Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
SPANNING TREE ALGORITHM CONFIGURATION These additional parameters are only displayed for the CLI: • Spanning tree mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) RSTP: Rapid Spanning Tree (IEEE 802.1w) • Instance* – • Vlans configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device.
CONFIGURING THE SWITCH • Root Hold Time – The interval (in seconds) during which no more than two bridge configuration protocol data units shall be transmitted by this node. • Max hops – The max number of hop counts for the MST region. • Remaining hops – The remaining number of hop counts for the MST instance. • Transmission limit – The minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. • Path Cost Method – The path cost is used to determine the best path between devices.
SPANNING TREE ALGORITHM CONFIGURATION CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree3-51 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 VLANs configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
CONFIGURING THE SWITCH - - STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
SPANNING TREE ALGORITHM CONFIGURATION Root Device Configuration • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. • • • • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals.
CONFIGURING THE SWITCH between devices. The path cost method is used to determine the range of values that can be assigned to each interface. • • Long: Specifies 32-bit based values that range from 1-200,000,000. (This is the default.) • Short: Specifies 16-bit based values that range from 1-65535. Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages.
SPANNING TREE ALGORITHM CONFIGURATION Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
CONFIGURING THE SWITCH CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
SPANNING TREE ALGORITHM CONFIGURATION - All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding. • Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state. • Designated Cost – The cost for a packet to travel from this port to the root in the current Spanning Tree configuration. The slower the media, the higher the cost.
CONFIGURING THE SWITCH (STA Port Information only) R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B B These additional parameters are only displayed for the CLI: 3-138 • Admin status – Shows if this interface is enabled.
SPANNING TREE ALGORITHM CONFIGURATION an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. • Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device.
CONFIGURING THE SWITCH Web – Click Spanning Tree, STA, Port Information or STA Trunk Information. CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/53-51 Eth 1/ 5 information -------------------------------------------------------------Admin status : enable Role : disable State : discarding External path cost : 10000 Internal path cost : 10000 Priority : 128 Designated cost : 200000 Designated port : 128.5 Designated root : 61440.0.
SPANNING TREE ALGORITHM CONFIGURATION Command Attributes The following attributes are read-only and cannot be changed: • • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 3-136 for additional information.) • Discarding - Port receives STA configuration messages, but does not forward packets.
CONFIGURING THE SWITCH ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
SPANNING TREE ALGORITHM CONFIGURATION Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the Protocol Migration button to manually re-check the appropriate BPDU format (RSTP or STP-compatible) to send on the selected interfaces. (Default: Disabled) Web – Click Spanning Tree, STA, Port Configuration or STA Trunk Configuration. Modify the required attributes, then click Apply.
CONFIGURING THE SWITCH 1-4094) Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
SPANNING TREE ALGORITHM CONFIGURATION CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 23-51 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
CONFIGURING THE SWITCH CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration4-168 Console(config-mst)#mst 1 priority 40964-170 Console(config-mstp)#mst 1 vlan 1-54-169 Console(config-mst)# Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
SPANNING TREE ALGORITHM CONFIGURATION IST (page 3-127), the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 03-51 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
CONFIGURING THE SWITCH Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 3-136 for additional information.
SPANNING TREE ALGORITHM CONFIGURATION the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
CONFIGURING THE SWITCH VLAN Configuration Overview In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
VLAN CONFIGURATION • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
CONFIGURING THE SWITCH Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security.
VLAN CONFIGURATION GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs (VLAN Index)” on page 3-159). But you can still enable GVRP on these edge switches, as well as on the core switches in the network.
CONFIGURING THE SWITCH from a VLAN-unaware device, it first decides where to forward the frame, and then inserts a VLAN tag reflecting the ingress port’s default VID. Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network.
VLAN CONFIGURATION VLANs that can be configured on this switch. * Web Only Web – Click VLAN, 802.1Q VLAN, Basic Information. CLI – Enter the following command.
CONFIGURING THE SWITCH - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Command Attributes (CLI) 3-156 • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry.
VLAN CONFIGURATION CLI – Current VLAN information can be displayed with the following command.
CONFIGURING THE SWITCH Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes • Current – Lists all the current VLAN groups created for this system. Up to 255 VLAN groups can be defined. VLAN 1 is the default untagged VLAN. • New – Allows you to specify the name and numeric identifier for a new VLAN group.
VLAN CONFIGURATION CLI – This example creates a new VLAN.
CONFIGURING THE SWITCH • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: • 3-160 Enable: VLAN is operational. Disable: VLAN is suspended; i.e., does not pass packets. - Tagged: Interface is a member of the VLAN.
VLAN CONFIGURATION Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. CLI – The following example adds tagged and untagged ports to VLAN 2.
CONFIGURING THE SWITCH • 3-162 Non-Member – VLANs for which the selected interface is not a tagged member.
VLAN CONFIGURATION Web – Open VLAN, 802.1Q VLAN, Static Membership. Select an interface from the scroll-down box (Port or Trunk). Click Query to display membership information for the interface. Select a VLAN ID, and then click Add to add the interface as a tagged member, or click Remove to remove the interface. After configuring VLAN membership for each interface, click Apply. CLI – This example adds Port 3 to VLAN 1 as a tagged port, and removes Port 3 from VLAN 2.
CONFIGURING THE SWITCH bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GVRP registration/deregistration. Command Attributes • PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) - • • Acceptable Frame Type – Sets the interface to accept all frame types, including tagged or untagged frames, or only tagged frames.
VLAN CONFIGURATION must be globally enabled for the switch before this setting can take effect. (See “Displaying Bridge Extension Capabilities” on page 3-18.) When disabled, any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports. (Default: Disabled) • GARP Join Timer* – The interval between transmitting requests/ queries to participate in a VLAN group.
CONFIGURING THE SWITCH * Timer settings must follow this rule: 2 x (join timer) < leave timer < leaveAll timer Web – Click VLAN, 802.1Q VLAN, Port Configuration or VLAN Trunk Configuration. Fill in the required settings for each interface, click Apply. CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
VLAN CONFIGURATION Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Uplink Ports Primary VLAN (promiscuous ports) x Downlink Ports Secondary VLAN (private ports) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function.
CONFIGURING THE SWITCH Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
VLAN CONFIGURATION port, its VLAN membership can then be determined based on the protocol type being used by the inbound packets. Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-158). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.
CONFIGURING THE SWITCH CLI – The following creates protocol group 1, and then specifies Ethernet frames with IP and ARP protocol types. Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip3-66 Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group.
VLAN CONFIGURATION Command Attributes • Interface – Port or trunk identifier. • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) Web – Click VLAN, Protocol VLAN, Port Configuration. Select a a port or trunk, enter a protocol group ID, the corresponding VLAN ID, and click Apply.
CONFIGURING THE SWITCH Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CLASS OF SERVICE CONFIGURATION * CLI displays this information as “Priority for untagged traffic.” Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. CLI – This example assigns a default priority of 5 to port 3.
CONFIGURING THE SWITCH Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
CLASS OF SERVICE CONFIGURATION priorities to the traffic classes (i.e., output queues) for the selected interface, then click Apply. CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
CONFIGURING THE SWITCH Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
CLASS OF SERVICE CONFIGURATION described in “Mapping CoS Values to Egress Queues” on page 3-174, the traffic classes are mapped to one of the eight egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue will be polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
CONFIGURING THE SWITCH CLI – The following example shows how to assign WRR weights to each of the priority queues. Console(config)#queue bandwidth 1 3 5 7 9 11 13 153-81 Console(config)#exit Console#show queue bandwidth3-84 Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 3 2 5 3 7 4 9 5 11 6 13 7 15 Information of Eth 1/2 Queue ID Weight . . .
CLASS OF SERVICE CONFIGURATION Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port. If priority bits are used, the ToS octet may contain three bits for IP Precedence or six bits for Differentiated Services Code Point (DSCP) service.
CONFIGURING THE SWITCH CLI – The following example enables IP Precedence service on the switch.
CLASS OF SERVICE CONFIGURATION Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth). Bits 6 and 7 are used for network control, and the other bits for various application types.
CONFIGURING THE SWITCH Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
CLASS OF SERVICE CONFIGURATION Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
CONFIGURING THE SWITCH CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp3-89 Console(config)#interface ethernet 1/13-1 Console(config-if)#map ip dscp 1 cos 03-90 Console(config-if)#end Console#show map ip dscp ethernet 1/13-93 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
CLASS OF SERVICE CONFIGURATION Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes • IP Port Priority Status – Enables or disables the IP port priority. • Interface – Selects the port or trunk interface to which the settings apply.
CONFIGURING THE SWITCH * Mapping specific values for IP Port Priority is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings.
CLASS OF SERVICE CONFIGURATION queue; it is not written to the packet itself. For information on mapping the CoS values to output queues, see page 3-174. Priority 0 1 2 3 4 5 6 7 Queue 1 2 0 3 4 5 6 7 Command Usage You must configure an ACL mask before you can map CoS values to the rule. Command Attributes * • Port – Port identifier. • Name* – Name of ACL. • Type – Type of ACL (IP or MAC). • CoS Priority – CoS value used for packets matching an IP ACL rule.
CONFIGURING THE SWITCH CLI – This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 1. Console(config)#interface ethernet 1/13-1 Console(config-if)#map access-list ip bill cos 03-128 Console(config-if)# Changing Priorities Based on ACL Rules You can change traffic priorities for frames matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) This switch can change the IEEE 802.
CLASS OF SERVICE CONFIGURATION Command Attributes • Port – Port identifier. • Name* – Name of ACL. • Type – Type of ACL (IP or MAC). • Precedence – IP Precedence value. (Range: 0-7) • DSCP – Differentiated Services Code Point value. (Range: 0-63) • 802.1p Priority – Class of Service value in the IEEE 802.1p priority tag. (Range: 0-7; 7 is the highest priority) Web – Click Priority, ACL Marker. Select a port and an ACL rule.
CONFIGURING THE SWITCH CLI – This example changes the DSCP priority for packets matching an IP ACL rule, and the 802.1p priority for packets matching a MAC ACL rule.
MULTICAST FILTERING continue to receive the multicast service. This procedure is called multicast filtering. The purpose of IP multicast filtering is to optimize a switched network’s performance, so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN).
CONFIGURING THE SWITCH Note that IGMP neither alters nor routes IP multicast packets. A multicast routing protocol must be used to deliver IP multicast packets across different subnetworks. Therefore, when DVMRP or PIM routing is enabled for a subnet on this switch, you also need to enable IGMP.
MULTICAST FILTERING IGMP Query (Layer 2 or 3) – IGMP Query can only be enabled globally at Layer 2, but can be enabled for individual VLAN interfaces at Layer 3 (page 3-200). However, note that Layer 2 query is disabled if Layer 3 query is enabled. Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
CONFIGURING THE SWITCH is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic. (Default: Disabled) • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
MULTICAST FILTERING CLI – This example modifies the settings for multicast filtering, and then displays the current status.
CONFIGURING THE SWITCH You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router/switch for each VLAN ID. Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Multicast Router List – Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch. Web – Click IGMP Snooping, Multicast Router Port Information.
MULTICAST FILTERING interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router. This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch. Command Attributes • Interface – Activates the Port or Trunk scroll down list. • VLAN ID – Selects the VLAN to propagate all multicast traffic coming from the attached multicast router.
CONFIGURING THE SWITCH Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
MULTICAST FILTERING The Type field shows if this entry was learned dynamically or was statically configured. Console#show bridge 1 multicast vlan 13-99 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.1.12 Eth1/12 USER 1 224.1.2.3 Eth1/12 IGMP Console# Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 3-193.
CONFIGURING THE SWITCH multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply. CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.
MULTICAST FILTERING Layer 3 IGMP – This protocol includes a form of multicast query specifically designed L3 - network core to work with multicast routing. A router routing (andmulticast L3 IGMP query( periodically asks its hosts if they want to receive multicast traffic. It then propagates service requests on to any upstream multicast router to ensure that it will continue to receive the multicast service. Layer 3 IGMP can be enabled for individual VLAN interfaces (page 3-200).
CONFIGURING THE SWITCH (Range: 1-4094) • IGMP Protocol Status (Admin Status) – Enables IGMP on a VLAN interface. (Default: Disabled) • Last Member Query Interval – A multicast client sends an IGMP leave message when it leaves a group. The router then checks to see if this was the last host in the group by sending an IGMP query and starting a timer based on this command. If no reports are received before the timer expires, the group is deleted.
MULTICAST FILTERING - specific multicast service. Only the designated multicast router for a subnet sends host query messages, which are addressed to the multicast address 224.0.0.1. For IGMP Version 1, the designated router is elected according to the multicast routing protocol that runs on the LAN. But for IGMP Version 2, the designated querier is the lowest IP-addressed multicast router on the subnet. • Robustness Variable – Specifies the robustness (i.e., expected packet loss) for this interface.
CONFIGURING THE SWITCH Web – Click IP, IGMP, Interface Settings. Specify each interface that will support IGMP (Layer 3), specify the IGMP parameters for each interface, then click Apply. CLI – This example configures the IGMP parameters for VLAN 1.
MULTICAST FILTERING Displaying Multicast Group Information When IGMP (Layer 3) is enabled on this switch the current multicast groups learned via IGMP can be displayed in the IP/IGMP/Group Information page. When IGMP (Layer 3) is disabled and IGMP (Layer 2) is enabled, you can view the active multicast groups in the IGMP Snooping/IP Multicast Registration Table (see page 3-198).
CONFIGURING THE SWITCH CLI – The following shows the IGMP groups currently active on VLAN 1. Console#show ip igmp groups vlan 13-114 GroupAddress InterfaceVlan Lastreporter Uptime Expire V1Timer --------------- --------------- --------------- -------- -------- --------234.5.6.8 1 10.1.5.
CONFIGURING DOMAIN NAME SERVICE DNS client (i.e., not formatted with dotted notation), you can specify a default domain name or a list of domain names to be tried in sequential order. • If there is no domain list, the default domain name is used. If there is a domain list, the default domain name is not used.
CONFIGURING THE SWITCH Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply.
CONFIGURING DOMAIN NAME SERVICE CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com3-178 Console(config)#ip domain-list sample.com.uk3-179 Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-server 192.168.1.55 10.1.0.553-181 Console(config)#ip domain-lookup3-182 Console#show dns3-184 Domain Lookup Status: DNS enabled Default Domain Name: .
CONFIGURING THE SWITCH • Alias – Displays the host names that are mapped to the same address(es) as a previously configured entry. Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply.
CONFIGURING DOMAIN NAME SERVICE CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.553-177 Console(config)#ip host rd6 10.1.0.55 Console#show host3-183 Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.
CONFIGURING THE SWITCH Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. • Type – This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry.
DYNAMIC HOST CONFIGURATION PROTOCOL CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache3-184 NO FLAG TYPE IP 0 4 CNAME 207.46.134.222 1 4 CNAME 207.46.134.190 2 4 CNAME 207.46.134.155 3 4 CNAME 207.46.249.222 4 4 CNAME 207.46.249.27 5 4 ALIAS POINTER TO:4 6 4 CNAME 207.46.68.27 7 4 ALIAS POINTER TO:6 8 4 CNAME 65.54.131.192 9 4 ALIAS POINTER TO:8 10 4 CNAME 165.193.72.190 Console# TTL 51 51 51 51 51 51 71964 71964 605 605 87 DOMAIN www.
CONFIGURING THE SWITCH Configuring DHCP Relay Service This switch supports DHCP relay service for attached host devices. If DHCP relay is enabled, DHCP Server and this switch sees a Provides IP address compatible with switch segment to which client DHCP request broadcast, is attached it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server.
DYNAMIC HOST CONFIGURATION PROTOCOL Web – Click DHCP, Relay Configuration. Enter up to five IP addresses for any VLAN, then click Restart DHCP Relay to start the relay service. CLI – This example specifies one DHCP relay server for VLAN 1, and enables the relay service. Console(config)#interface vlan 13-1 Console(config-if)#dhcp relay server 10.1.0.
CONFIGURING THE SWITCH be assigned to hosts based on the client identifier code or MAC address. Address Pool Static Addresses 8 network address pools 32 static addresses (all within the confines of configured network address pools) Command Usage • First configure any excluded addresses, including the address for this switch. • Then configure address pools for the network interfaces. You can configure up to 8 network address pools.
DYNAMIC HOST CONFIGURATION PROTOCOL Web – Click DHCP, Server, General. Enter a single address or an address range, and click Add. CLI – This example enables the DHCP and sets an excluded address range. Console(config)#service dhcp3-161 Console(config)#ip dhcp excluded-address 10.1.0.250 10.1.0.2543-161 Console# Configuring Address Pools You must configure IP address pools for each IP interface that will provide addresses to attached clients via the DHCP server.
CONFIGURING THE SWITCH address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e., the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool.
DYNAMIC HOST CONFIGURATION PROTOCOL • Subnet Mask – Specifies the network mask of the client. • Hardware Address – Specifies the MAC address and protocol used on the client. (Options: Ethernet, IEEE802, FDDI; Default: Ethernet) • Client-Identifier – A unique designation for the client device, either a text string (1-15 characters) or hexadecimal value. Setting the Optional Parameters • Default Router – The IP address of the primary and alternate gateway router.
CONFIGURING THE SWITCH Examples Creating a New Address Pool Web – Click DHCP, Server, Pool Configuration. Specify a pool name, then click Add. CLI – This example adds an address pool and enters DHCP pool configuration mode.
DYNAMIC HOST CONFIGURATION PROTOCOL Configuring a Network Address Pool Web – Click DHCP, Server, Pool Configuration. Click the Configure button for any entry. Click the radio button for “Network.” Enter the IP address and subnet mask for the network pool. Configure the optional parameters such as gateway server and DNS server. Then click Apply. CLI – This example configures a network address pool. Console(config)#ip dhcp pool tps3-162 Console(config-dhcp)#network 10.1.0.0 255.255.255.
CONFIGURING THE SWITCH Configuring a Host Address Pool Web – Click DHCP, Server, Pool Configuration. Click the Configure button for any entry. Click the radio button for “Host.” Enter the IP address, subnet mask, and hardware address for the client device. Configure the optional parameters such as gateway server and DNS server. Then click Apply.
DYNAMIC HOST CONFIGURATION PROTOCOL CLI – This example configures a host address pool. Console(config)#ip dhcp pool mgr3-162 Console(config-dhcp)#host 10.1.0.19 255.255.255.03-170 Console(config-dhcp)#hardware-address 00-e0-29-94-34-28 ethernet3-173 Console(config-dhcp)#client-identifier text bear3-172 Console(config-dhcp)#default-router 10.1.0.2533-164 Console(config-dhcp)#dns-server 10.2.3.43-165 Console(config-dhcp)#netbios-name-server 10.1.0.
CONFIGURING THE SWITCH Web – Click DHCP, Server, IP Binding. You may use the Delete button to clear an address from the DHCP server’s database. CLI – This example displays the current binding, and then clears all automatic binding. Console#show ip dhcp binding3-175 IP MAC Lease Time Start --------------- ----------------- ------------ ----------10.1.0.
CONFIGURING ROUTER REDUNDANCY Configuring Router Redundancy Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
CONFIGURING THE SWITCH • Several virtual master routers using the same set of backup routers. Master Router VRID 23 IP(R1) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 Master Router VRID 25 IP(R2) = 192.168.2.17 IP(VR25) = 192.168.2.17 VR Priority = 255 • Backup Router VRID 23 IP(R3) = 192.168.1.4 IP(VR23) = 192.168.1.3 VR Priority = 100 VRID 25 IP(R3) = 192.168.2.18 IP(VR23) = 192.168.2.17 VR Priority = 100 Several virtual master routers configured for mutual backup and load sharing.
CONFIGURING ROUTER REDUNDANCY Configuring VRRP Groups To configure VRRP, select an interface on one router in the group to serve as the master virtual router. This physical interface is used as the virtual address for the router group. Now set the same virtual address and a priority on the backup routers, and configure an authentication string. You can also enable the preempt feature which allows a router to take over as the master router when it comes on line.
CONFIGURING THE SWITCH fails. However, because the priority of the virtual IP address Owner is the highest, the original master router will always become the active master router when it recovers. • If two or more routers are configured with the same VRRP priority, the router with the higher IP address is elected as the new master router if the current master fails.
CONFIGURING ROUTER REDUNDANCY • Preemption – Shows if this router is allowed to preempt the acting master. • Priority – Priority of this router in the VRRP group. • AuthType – Authentication mode used to verify VRRP packets from other routers.
CONFIGURING THE SWITCH Command Attributes (VRRP Group Configuration Detail) • Associated IP Table – IP interfaces associated with this virtual router group. • Associated IP – IP address of the virtual router, or secondary IP addresses assigned to the current VLAN interface that are supported by this VRRP group. If this address matches a real interface on this switch, then this interface will become the virtual master router for this VRRP group.
CONFIGURING ROUTER REDUNDANCY • Authentication Type – Authentication mode used to verify VRRP packets received from other routers. (Options: None, Simple Text) - - • The priority for the VRRP group address owner is automatically set to 255. The priority for backup routers is used to determine which router will take over as the acting master router if the current master fails. If simple text authentication is selected, then you must also enter an authentication string.
CONFIGURING THE SWITCH Web – Click IP, VRRP, Group Configuration. Select the VLAN ID, enter the VRID group number, and click Add. Click the Edit button for a group entry to open the detailed configuration window. Enter the IP address of a real interface on this router to make it the master virtual router for the group. Otherwise, enter the virtual address for an existing group to make it a backup router.
CONFIGURING ROUTER REDUNDANCY IP address into the Associated IP Table. Then set any of the other parameters as required, and click Apply. CLI – This example creates VRRP group 1, sets this switch as the master virtual router by assigning the primary interface address for the selected VLAN to the virtual IP address.
CONFIGURING THE SWITCH VRRP group, sets all of the other VRRP parameters, and then displays the configured settings. Console(config)#interface vlan 13-57 Console(config-if)#vrrp 1 ip 192.168.1.63-212 Console(config-if)#vrrp 1 ip 192.168.2.
CONFIGURING ROUTER REDUNDANCY Web – Click IP, VRRP, Global Statistics. CLI – This example displays counters for protocol errors for all the VRRP groups configured on this switch. Console#show vrrp router counters3-222 VRRP Packets with Invalid Checksum : 0 VRRP Packets with Unknown Error : 0 VRRP Packets with Invalid VRID : 0 Console# Displaying VRRP Group Statistics The VRRP Group Statistics page displays counters for VRRP protocol events and errors that have occurred on a specific VRRP interface.
CONFIGURING THE SWITCH not pass the authentication check. 3-236 • Error IP TTL Packets – Number of VRRP packets received by the virtual router with IP TTL (Time-To-Live) not equal to 255. • Received Priority 0 Packets – Number of VRRP packets received by the virtual router with priority set to 0. • Error Packet Length Packets – Number of packets received with a packet length less than the length of the VRRP header.
CONFIGURING ROUTER REDUNDANCY Web – Click IP, VRRP, Group Statistics. Select the VLAN and virtual router group. CLI – This example displays VRRP protocol statistics for group 1, VLAN 1.
CONFIGURING THE SWITCH Configuring HSRP Groups To configure HSRP, assign the same virtual router address to each router in the group. Set the highest virtual router priority on the router that will serve as the master. Enable the preempt feature to allow a router to take over as the master when it comes on line (if it has a higher priority). To configure the backup routers with an order of precedence for assuming the role of master, set the appropriate priority on each of these routers.
CONFIGURING ROUTER REDUNDANCY for HSRP such as authentication, tracking, or advertisement interval, then first configure these parameters before enabling HSRP. • HSRP creates a virtual MAC address for the master router based on a standard prefix, with the last octet equal to the group ID. When a backup router takes over as the master, it continues to forward traffic addressed to this virtual MAC address.
CONFIGURING THE SWITCH sends other messages indicating that it is no longer acting as the designated router. • You can add a delay to the preempt function to give additional time to receive an advertisement message from the current master before taking control. If the router attempting to become the master has just come on line, this delay also gives it time to gather information for its routing table before actually preempting the currently active master router.
CONFIGURING ROUTER REDUNDANCY - - - • HSRP advertisements from the master and standby virtual router include information about their priority, timer values, and current state as the master or standby router. Routers on which the timer settings have not been configured can learn the current timer values from the master or standby router. Timers configured on the master router always override any other timer settings. All routers in an HSRP group should be configured with the same timer values.
CONFIGURING THE SWITCH - to the string configured on this router. If the strings match, the message is accepted. Otherwise, the packet is discarded. Plain text authentication does not provide any real security. It is supported only to prevent a misconfigured router from participating in HSRP. • Virtual IP – IP address of the virtual router, or secondary IP addresses assigned to the current VLAN interface that are supported by the HSRP group.
CONFIGURING ROUTER REDUNDANCY Click the Edit button for a group entry to open the detailed configuration window. Set the values for the advertisement interval, preemption, priority, and authentication as required. Enter the virtual IP address for the group. You can also enter secondary IP addresses that will be supported by the group.
CONFIGURING THE SWITCH the corresponding value by which to adjust the priority when the interface state changes. Then click Apply.
CONFIGURING ROUTER REDUNDANCY CLI – This example creates HSRP group 1, sets the virtual router’s address, adds a secondary IP address to the group, specifies an interface for tracking, sets all the other HSRP parameters, and then displays the configured settings. Console(config)#interface vlan 13-57 Console(config-if)#standby 1 ip 192.168.1.73-225 Console(config-if)#standby 1 ip 192.168.2.
CONFIGURING THE SWITCH IP Routing Overview This switch supports IP routing and routing path management via static routing definitions (page 3-269) and dynamic routing such as RIP (page 3-273) or OSPF (page 3-285). When IP routing is enabled (page 3-274), this switch acts as a wire-speed router, passing traffic between VLANs using different IP interfaces, and routing traffic to external IP networks. However, when the switch is first booted, no default routing is defined.
IP ROUTING Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
CONFIGURING THE SWITCH However, if the MAC address is not yet known to the switch, an Address Resolution Protocol (ARP) packet with the destination IP address is broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
IP ROUTING calculated only during setup. Once the route has been determined, all packets in the current flow are simply switched or forwarded across the chosen path. This takes advantage of the high throughput and low latency of switching by enabling the traffic to bypass the routing engine once the path calculation has been performed.
CONFIGURING THE SWITCH OSPFv2 Dynamic Routing Protocol OSPF overcomes all the problems of RIP. It uses a link state routing protocol to generate a shortest-path tree, then builds up its routing table based on this tree. OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously, converging on the best route more quickly than RIP. Moreover, when several equal-cost routes to a destination exist, traffic can be distributed equally among them.
IP ROUTING - • This command affects both static and dynamic unicast routing. If IP routing is enabled, all IP packets are routed using either static routing or dynamic routing via RIP or OSPF, and other packets for all non-IP protocols (e.g., NetBuei, NetWare or AppleTalk) are switched based on MAC addresses. If IP routing is disabled, all packets are switched, with filtering and forwarding decisions based strictly on MAC addresses.
CONFIGURING THE SWITCH Configuring IP Routing Interfaces You can specify the IP subnets connected to this router by manually assigning an IP address to each VLAN, or by using the RIP or OSPF dynamic routing protocol to identify routes that lead to other interfaces by exchanging protocol messages with other routers on the network.
IP ROUTING - If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the address server. Requests will be broadcast periodically by the router for an IP address. (DHCP/ BOOTP values include the IP address and subnet mask.) • IP Address – Address of the VLAN interface. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. • Subnet Mask – This mask identifies the host address bits used for routing to specific subnets.
CONFIGURING THE SWITCH Web - Click IP, General, Routing Interface. Specify an IP interface for each VLAN that will support routing to other subnets. First specify a primary address, and click Set IP Configuration. If you need to assign secondary addresses, enter these addresses one at a time, and click Set IP Configuration after entering each address. CLI - This example sets a primary IP address for VLAN 1, and then adds a secondary IP address for a different subnet also attached to this router interface.
IP ROUTING Address Resolution Protocol If IP routing is enabled (page 3-250), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this router (or any standards- based router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
CONFIGURING THE SWITCH Proxy ARP When a node in the attached subnetwork does not have routing or a default gateway configured, Proxy ARP can be used to forward ARP requests to a remote subnetwork. When the router receives an ARP request for a remote network and Proxy ARP is enabled, it determines if it has the best route to the remote network, and then answers the ARP request by sending its own MAC address to the requesting node.
IP ROUTING Command Attributes • • Timeout – Sets the aging time for dynamic entries in the ARP cache. (Range: 300 - 86400 seconds; Default: 1200 seconds or 20 minutes) Proxy ARP – Enables or disables Proxy ARP for specified VLAN interfaces. Web - Click IP, ARP, General. Set the timeout to a suitable value for the ARP cache, enable Proxy ARP for subnetworks that do not have routing or a default gateway, and click Apply. CLI - This example sets the ARP cache timeout for 15 minutes (i.e.
CONFIGURING THE SWITCH can only remove a static entry via the configuration interface. Command Attributes • • • IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.) MAC Address – MAC address statically mapped to the corresponding IP address. (Valid MAC addresses are hexadecimal numbers in the format: xx-xx-xx-xx-xx-xx.) Entry Count – The number of static entries in the ARP cache.
IP ROUTING Command Attributes • IP Address – IP address of a dynamic entry in the cache. • MAC Address – MAC address mapped to the corresponding IP address. Interface – VLAN interface associated with the address entry. • * • Dynamic to Static* – Changes a selected dynamic entry to a static entry. • Clear All* – Deletes all dynamic entries from the ARP cache. • Entry Count – The number of dynamic entries in the ARP cache. These buttons take effect immediately.
CONFIGURING THE SWITCH CLI - This example shows all entries in the ARP cache. Console#show arp3-124 Arp cache timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.11 10.1.0.12 10.1.0.19 10.1.0.253 10.1.0.
IP ROUTING Web - Click IP, ARP, Other Addresses. CLI - This router uses the Type specification “other” to indicate local cache entries in the ARP cache. Console#show arp3-124 Arp cache timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.11 10.1.0.12 10.1.0.19 10.1.0.253 10.1.0.
CONFIGURING THE SWITCH Parameter Description Sent Request Number of ARP Request packets sent by the router. Sent Reply Number of ARP Reply packets sent by the router. Web - Click IP, ARP, Statistics. CLI - This example provides detailed statistics on common IP-related protocols.
IP ROUTING Displaying Statistics for IP Protocols IP Statistics The Internet Protocol (IP) provides a mechanism for transmitting blocks of data (often called packets or frames) from a source to a destination, where these network devices (i.e., hosts) are identified by fixed length addresses. The Internet Protocol also provides for fragmentation and reassembly of long packets, if necessary, for transmission through “small packet” networks.
CONFIGURING THE SWITCH Parameter Description Datagrams Failing Fragmentation The number of datagrams that have been discarded because they needed to be fragmented at this entity but could not be, e.g., because their “Don't Fragment” flag was set. Received Header Errors The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format errors, time-to-live exceeded, errors discovered in processing their IP options, etc.
IP ROUTING Web - Click IP, Statistics, IP. CLI - See the example on page 3-261. ICMP Statistics Internet Control Message Protocol (ICMP) is a network layer protocol that transmits message packets to report errors in processing IP packets. ICMP is therefore an integral part of the Internet Protocol.
CONFIGURING THE SWITCH Parameter Description Destination Unreachable The number of ICMP Destination Unreachable messages received/sent. Time Exceeded The number of ICMP Time Exceeded messages received/ sent. Parameter Problems The number of ICMP Parameter Problem messages received/sent. Source Quenches The number of ICMP Source Quench messages received/ sent. Redirects The number of ICMP Redirect messages received/sent. Echos The number of ICMP Echo (request) messages received/ sent.
IP ROUTING Web - Click IP, Statistics, ICMP. CLI - See the example on page 3-261. UDP Statistics User Datagram Protocol (UDP) provides a datagram mode of packet-switched communications. It uses IP as the underlying transport mechanism, providing access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
CONFIGURING THE SWITCH Parameter Description Receive Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. No Ports The total number of received UDP datagrams for which there was no application at the destination port. Web - Click IP, Statistics, UDP. CLI - See the example on page 3-261.
IP ROUTING Parameter Description Failed Connection Attempts The number of times TCP connections have made a direct transition to the CLOSED state from either the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state. Current Connections The number of TCP connections for which the current state is either ESTABLISHED or CLOSE- WAIT. Receive Errors The total number of segments received in error (e.g.
CONFIGURING THE SWITCH required to access network segments where dynamic routing is not supported, or can be set to force the use of a specific route to a subnet, rather than using dynamic routing. Static routes do not automatically change in response to changes in network topology, so you should only configure a small number of stable routes to ensure network accessibility. Command Attributes 3-270 • Interface – Index number of the IP interface.
IP ROUTING Web - Click IP, Routing, Static Routes. CLI - This example forwards all traffic for subnet 192.168.1.0 to the router 192.168.5.254, using the default metric of 1. Console(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.2543-128 Console(config)# Displaying the Routing Table You can display all the routes that can be accessed via the local network interfaces, via static routes, or via a dynamically learned route.
CONFIGURING THE SWITCH • Netmask – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. • Next Hop – The IP address of the next hop (or gateway) in this route. • Protocol – The protocol which generated this route information. (Options: local, static, RIP, OSPF) • Metric – Cost for this interface. • Entry Count – The number of table entries. Web - Click IP, Routing, Routing Table.
IP ROUTING Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
CONFIGURING THE SWITCH • There are several serious problems with RIP that you should consider. First of all, RIP (version 1) has no knowledge of subnets, both RIP versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur, and its small hop count limitation of 15 restricts its use to smaller networks.
IP ROUTING - The timers must be set to the same values for all routers in the network. Command Attributes Global Settings • RIP Routing Process – Enables RIP routing for all IP interfaces on the router. (Default: Disabled) • Global RIP Version – Specifies a RIP version used globally by the router. (Default: RIP Version 1) Timer Settings • Update – Sets the rate at which updates are sent.
CONFIGURING THE SWITCH Web - Click Routing Protocol, RIP, General Settings. Enable or disable RIP, set the RIP version used on previously unset interfaces to RIPv1 or RIPv2, set the basic update timer, and then click Apply. CLI - This example sets the router to use RIP Version 2, and sets the basic timer to 15 seconds.
IP ROUTING 0 - 127 is class A, and only the first field in the network address is used. 128 - 19 is class B, and the first two fields in the network address are used. 192 - 223 is class C, and the first three fields in the network address are used. Command Attributes • Subnet Address – IP address of a network directly connected to this router. Web - Click Routing Protocol, RIP, Network Addresses. Add all interfaces that will participate in RIP, and click Apply.
CONFIGURING THE SWITCH message type sent (i.e., RIP version or compatibility mode), the method for preventing loopback of protocol messages, and whether or not authentication is used (i.e., authentication only applies if RIPv2 messages are being sent or received). Command Usage Specifying Receive and Send Protocol Types • Setting the RIP Receive Version or Send Version for an interface overrides the global setting specified by the RIP / General Settings, Global RIP Version field.
IP ROUTING retransmission of data traffic. When protocol packets are caught in a loop, links will be congested, and protocol packets may be lost. However, the network will slowly converge to the new state. RIP utilizes the following three methods that can provide faster convergence when the network topology changes and prevent most loops from occurring: • • • Split Horizon – Never propagate routes back to an interface port from which they have been acquired.
CONFIGURING THE SWITCH • Send Version – The RIP version to send on an interface. - RIPv1: Sends only RIPv1 packets. - RIPv2: Sends only RIPv2 packets. - RIPv1 Compatible: Route information is broadcast to other routers with RIPv2. (Default) - Do Not Send: Does not transmit RIP updates.
IP ROUTING Web - Click Routing Protocol, RIP, Interface Settings. Select the RIP protocol message types that will be received and sent, the method used to provide faster convergence and prevent loopback (i.e., prevent instability in the network topology), and the authentication option and corresponding password. Then click Apply. CLI - This example sets the receive version to accept both RIPv1 or RIPv2 messages, the send mode to RIPv1 compatible (i.e.
CONFIGURING THE SWITCH RIP Information and Statistics Parameter Description Globals RIP Routing Process Indicates if RIP has been enabled or disabled. Update Time in Seconds The interval at which RIP advertises known route information. (Default: 30 seconds) Number of Route Changes Number of times routing information has changed. Number of Queries Number of router database queries received by this router. Interface Information Interface IP address of the interface.
IP ROUTING Web - Click Routing Protocol, RIP, Statistics.
CONFIGURING THE SWITCH CLI - The information displayed by the RIP Statistics screen via the web interface can be accessed from the CLI using the following commands. Console#show rip globals3-142 RIP Process: Enabled Update Time in Seconds: 30 Number of Route Change: 4 Number of Queries: 0 Console#show ip rip configuration3-143 Interface SendMode ReceiveMode Poison Authentication --------------- --------------- ------------- ------------------------------10.1.0.
IP ROUTING Configuring the Open Shortest Path First Protocol Open Shortest Path First (OSPF) is more suited for large area networks which experience frequent changes in the links. It also handles subnets much better than RIP. OSPF protocol actively tests the status of each link to its neighbors to generate a shortest path tree, and builds a routing table based on this information. OSPF then utilizes IP multicast to propagate routing information.
CONFIGURING THE SWITCH Command Usage • OSPF looks at more than just the simple hop count. When adding the shortest path to any node into the tree, the optimal path is chosen on the basis of delay, throughput and connectivity. OSPF utilizes IP multicast to reduce the amount of routing traffic required when sending or receiving routing path updates. The separate routing area scheme used by OSPF further reduces the amount of routing traffic, and thus inherently provides another level of routing protection.
IP ROUTING - And finally, you must specify a virtual link to any OSPF area that is not physically attached to the OSPF backbone. Virtual links can also be used to provide a redundant link between contiguous areas to prevent areas from being partitioned, or to merge backbone areas.
CONFIGURING THE SWITCH • • • • systems to which it may be attached. If a router is enabled as an ASBR, then every other router in the autonomous system can learn about external routes from this device. (Default: Disabled) Rfc1583 Compatible – If one or more routers in a routing domain are using OSPF Version 1, this router should use RFC 1583 (OSPFv1) compatibility mode to ensure that all routers are using the same RFC for calculating summary route costs.
IP ROUTING or static configuration, and such a route is known. (See “Redistributing External Routes” on page 3-310.) • External Metric Type 2 – The external link type used to advertise the default route. Type 1 route advertisements add the internal cost to the external route metric. Type 2 routes do not add the internal cost metric. When comparing Type 2 routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost.
CONFIGURING THE SWITCH Web - Click Routing Protocol, OSPF, General Configuration. Enable OSPF, specify the Router ID, configure the other global parameters as required, and click Apply. CLI - This example configures the router with the same settings as shown in the screen capture for the web interface. Console(config)#router ospf3-146 Console(config-router)#router-id 10.1.1.
IP ROUTING Configuring OSPF Areas An autonomous system must be configured with a backbone area, designated by area identifier 0.0.0.0. By default, all other areas are created as normal transit areas. Routers in a normal area may import or export routing information about individual nodes. To reduce the amount of routing traffic flooded onto the network, you can configure an area to export a single summarized route that covers a broad range of network addresses within the area (page 3-295).
CONFIGURING THE SWITCH • By default, a stub can only pass traffic to other areas in the autonomous system via the default external route. However, you also can configure an area border router to send Type 3 summary link advertisements into the stub. NSSA – A not-so-stubby area (NSSA) is similar to a stub. It blocks most external routing information, and can be configured to advertise a single default route for traffic passing between the NSSA and other areas within the autonomous system (AS).
IP ROUTING Command Usage • Before you create a stub or NSSA, first specify the address range for an area using the Network Area Address Configuration screen (page 3-305). • Stubs and NSSAs cannot be used as a transit area, and should therefore be placed at the edge of the routing domain. • A stub or NSSA can have multiple ABRs or exit points.
CONFIGURING THE SWITCH Web - Click Routing Protocol, OSPF, Area Configuration. Set any area to a stub or NSSA as required, specify the cost for the default summary route sent into a stub, and click Apply. CLI - This example configures area 0.0.0.1 as a normal area, area 0.0.0.2 as a stub, and area 0.0.0.3 as an NSSA. It also configures the router to propagate a default summary route into the stub and sets the cost for this default route to 10. Console(config-router)#network 10.1.1.0 255.255.255.0 area 0.0.
IP ROUTING Console#show ip ospf3-170 Routing Process with ID 192.168.1.253 Supports only single TOS(TOS0) route Number of area in this router is 3 Area 0.0.0.0 (BACKBONE) Number of interfaces in this area is 1 SPF algorithm executed 40 times Area 0.0.0.2 (STUB) Number of interfaces in this area is 1 SPF algorithm executed 8 times Area 0.0.0.
CONFIGURING THE SWITCH Command Attributes • Area ID – Identifies an area for which the routes are summarized. (The area ID must be in the form of an IP address.) • Range Network – Base address for the routes to summarize. • Range Netmask – Network mask for the summary route. • Advertising – Indicates whether or not to advertise the summary route. If the summary is not sent, the routes remain hidden from the rest of the network.
IP ROUTING The configured summary route is shown in the list of information displayed for area 1. Console(config-router)#area 0.0.0.1 range 10.1.1.0 255.255.255.03-155 Console(config-router)#end Console#show ip ospf Routing Process with ID 10.1.1.253 Supports only single TOS(TOS0) route Number of area in this router is 4 Area 0.0.0.0 (BACKBONE) Number of interfaces in this area is 0 SPF algorithm executed 47 times Area 0.0.0.
CONFIGURING THE SWITCH • Designated Router – Designated router for this area. • Backup Designated Router – Designated backup router for this area. • Entry Count – The number of IP interfaces assigned to this VLAN. Note: This router supports up 64 OSPF interfaces. Detail Interface Configuration 3-298 • VLAN ID – The VLAN corresponding to the selected interface. • Rtr Priority – Sets the interface priority for this router.
IP ROUTING - The transmit delay must be the same for all routers in an autonomous system. On slow links, the router may send packets more quickly than devices can receive them. To avoid this problem, you can use the transmit delay to force the router to wait a specified interval between transmissions. • Retransmit Interval – Sets the time between resending link-state advertisements. (Range: 1-65535 seconds; Default: 1) - A router will resend an LSA to a neighbor if it receives no acknowledgment.
CONFIGURING THE SWITCH • Authentication Type – Specifies the authentication type used for an interface. (Options: None, Simple password, MD5; Default: None) - Use authentication to prevent routers from inadvertently joining an unauthorized area. Configure routers in the same area with the same password or key. - When using simple password authentication, a password is included in the packet. If it does not match the password configured on the receiving router, the packet is discarded.
IP ROUTING - - Normally, only one key is used per interface to generate authentication information for outbound packets and to authenticate incoming packets. Neighbor routers must use the same key identifier and key value. When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key. Once all the neighboring routers start sending protocol messages back to this router with the new key, the router will stop using the old key.
CONFIGURING THE SWITCH Change any of the interface-specific protocol parameters, and then click Apply. CLI - This example configures the interface parameters for VLAN 1.
IP ROUTING Configuring Virtual Links All OSPF areas must connect to the backbone. If an area does not have a isolated area direct physical connection to the backbone, you can ABR configure a virtual link that provides a logical path to the virtual link backbone. To connect an backbone ABR isolated area to the normal area backbone, the logical path can cross a single non-backbone area (i.e., transit area) to reach the backbone.
CONFIGURING THE SWITCH Note: This router supports up 64 virtual links. Web - Click Routing Protocol, OSPF, Virtual Link Configuration. To create a new virtual link, specify the Area ID and Neighbor Router ID, configure the link attributes, and click Add. To modify the settings for an existing link, click the Detail button for the required entry, modify the link settings, and click Set.
IP ROUTING CLI - This example configures a virtual link from the ABR adjacent to area 0.0.0.4, through a transit area to the neighbor router 10.1.1.252 at the other end of the link which is adjacent to the backbone. Console(config-router)#area 0.0.0.0 virtual-link 10.1.1.2523-160 Console(config-router)# Configuring Network Area Addresses OSPF protocol broadcast messages (i.e., Link State Advertisements or LSAs) are restricted by area to limit their impact on network performance.
CONFIGURING THE SWITCH • An area must be assigned a range of subnetwork addresses. This area and the corresponding address range forms a routing interface, and can be configured to aggregate LSAs from all of its subnetwork addresses and exchange this information with other routers in the network (page 3-295). Command Attributes • IP Address – Address of the interfaces to add to the area. • Netmask – Network mask of the address range to add to the area.
IP ROUTING other areas in your network, configure an area for all of the other OSPF interfaces, then click Apply.
CONFIGURING THE SWITCH CLI - This example configures the backbone area and one transit area. Console(config-router)#network 10.0.0.0 255.0.0.0 area 0.0.0.03-155 Console(config-router)#network 10.1.1.0 255.255.255.0 area 0.0.0.1 Console(config-router)#end Console#show ip ospf3-170 Routing Process with ID 10.1.1.253 Supports only single TOS(TOS0) route Number of area in this router is 4 Area 0.0.0.0 (BACKBONE) Number of interfaces in this area is 1 SPF algorithm executed 8 times Area 0.0.0.
IP ROUTING • Netmask – Network mask for the summary route. Note: This router supports up 16 Type-5 summary routes. Web - Click Routing Protocol, OSPF, Summary Address Configuration. Specify the base address and network mask, then click Add. CLI - This example This example creates a summary address for all routes contained in 192.168.x.x. Console(config-router)#summary-address 192.168.0.0 255.255.0.
CONFIGURING THE SWITCH Redistributing External Routes You can configure this router to import external routing information from other routing protocols into the autonomous system. Router ASBR OSPF AS RIP, or static routes Command Usage • • • • • This router supports redistribution for both RIP and static routes. When you redistribute external routes into an OSPF autonomous system (AS), the router automatically becomes an autonomous system boundary router (ASBR).
IP ROUTING • Redistribute Metric Type – Indicates the method used to calculate external route costs. (Options: Type 1, Type 2; Default: Type 1) • Redistribute Metric – Metric assigned to all external routes for the specified protocol. (Range: 1-65535: Default: 10) Web - Click Routing Protocol, OSPF, Redistribute. Specify the protocol type to import, the metric type and path cost, then click Add. CLI - This example redistributes routes learned from RIP as Type 1 external routes.
CONFIGURING THE SWITCH ABR. (For a detailed description of NSSA areas, refer to “Configuring OSPF Areas” on page 3-291.) Command Attributes • Area ID – Identifier for an not-so-stubby area (NSSA). • Default Information Originate – An NSSA ASBR originates and floods Type-7 external LSAs throughout its area for known network destination outside of the AS.
IP ROUTING Web - Click Routing Protocol, OSPF, NSSA Settings. Create a new NSSA or modify the routing behavior for an existing NSSA, and click Apply. CLI - This example configures area 0.0.0.1 as a stub and sets the cost for the default summary route to 10. Console(config-router)#area 0.0.0.1 nssa default-information- originate3-158 Console(config-router)#area 0.0.0.
CONFIGURING THE SWITCH The full database is exchanged between neighboring routers as soon as a new router is discovered. Afterwards, any changes that occur in the routing tables are synchronized with neighboring routers through a process called reliable flooding.
IP ROUTING - • * A Router ID for Router, Network, and Type 4 AS Summary LSAs. Self-Originate – Shows LSAs originated by this router. • LS Type – LSA Type (Options: Type 1-5, 7). See the preceding description. • Adv Router – IP address of the advertising router. If not entered, information about all advertising routers is displayed. • Age* – Age of LSA (in seconds). • Seq* – Sequence number of LSA (used to detect older duplicate LSAs). • CheckSum* – Checksum of the complete contents of the LSA.
CONFIGURING THE SWITCH Web - Click Routing Protocol, OSPF, Link State Database Information. Specify parameters for the LSAs you want to display, then click Query. CLI - The CLI provides a wider selection of display options for viewing the Link State Database. See “show ip ospf database” on page 3-172. Displaying Information on Border Routers You can display entries in the local routing table for Area Border Routers (ABR) and Autonomous System Boundary Routers (ASBR) known by this device.
IP ROUTING • Type – Router type of the destination; either ABR, ASBR or both. • Rte Type – Route type; either intra-area or interarea route (INTRA or INTER). • Area – The area from which this route was learned. • SPF No – The number of times the shortest path first algorithm has been executed for this route. Web - Click Routing Protocol, OSPF, Border Router Information. CLI - This example shows one router that serves as both the ABR for the local area and the ASBR for the autonomous system.
CONFIGURING THE SWITCH • Priority – Neighbor’s router priority. • State – OSPF state and identification flag.
MULTICAST ROUTING neighbors. Console#show ip ospf neighbor3-182 ID Pri State Address --------------- ------ ---------------- --------------10.2.44.5 1 FULL/DR 10.2.44.88 10.2.44.6 2 FULL/BDR 10.2.44.88 Console# Multicast Routing This router can route multicast traffic to different subnetworks using either Distance Vector Multicast Routing Protocol (DVMRP) or Protocol-Independent Multicasting - Dense Mode (PIM-DM).
CONFIGURING THE SWITCH (page 3-324) or PIM (page 3-335), and specify the interfaces that will participate (page 3-329 or 3-336). Note that you can only enable one multicast routing protocol on any given interface. Web – Click IP, Multicast Routing, General Setting. Set Multicast Forwarding Status to Enabled, and click Apply. CLI – This example enables multicast routing globally for the router.
MULTICAST ROUTING Displaying the Multicast Routing Table You can display information on each multicast route this router has learned via DVMRP or PIM. The router learns multicast routes from neighboring routers, and also advertises these routes to its neighbors. The router stores entries for all paths learned by itself or from other routers, without considering actual group membership or prune messages.
CONFIGURING THE SWITCH Web – Click IP, Multicast Routing, Multicast Routing Table. Click Detail to display additional information for any entry.
MULTICAST ROUTING CLI – This example shows that multicast forwarding is enabled. The multicast routing table displays one entry for a multicast source routed by DVMRP, and another source routed via PIM. Console#show ip mroute3-188 IP Multicast Forwarding is enabled. IP Multicast Routing Table Flags: P - Prune, F - Forwarding (234.5.6.7, 10.1.0.0, 255.255.255.0) Owner: DVMRP Upstream Interface: vlan2 Upstream Router: 10.1.0.0 Downstream: (234.5.6.8, 10.1.5.19, 255.255.255.
CONFIGURING THE SWITCH looping and determine the shortest path to the source of this multicast traffic. source branch leaf leaf When this router receives the multicast message, it checks its unicast routing table to locate the port that provides the shortest path back to the source.
MULTICAST ROUTING Command Usage 3-325
CONFIGURING THE SWITCH Broadcasting periodically floods the source flooding potential hosts source pruning source grafting 3-326
MULTICAST ROUTING network with traffic from any active multicast server. If IGMP snooping is disabled, multicast traffic is flooded to all ports on the router. However, if IGMP snooping is enabled, then the first packet for any source group pair is flooded to all DVMRP downstream neighbors.
CONFIGURING THE SWITCH neighbors are still active members of the multicast tree. (Range: 1-65535 seconds; Default: 10 seconds) • Neighbor Timeout Interval – Sets the interval to wait for messages from a DVMRP neighbor before declaring it dead. This command is used for timing out routes, and for setting the children and leaf flags. (Range: 1-65535 seconds; Default: 35 seconds) • Report Interval – Specifies how often to propagate the complete set of routing tables to other neighbor DVMRP routers.
MULTICAST ROUTING Web – Click Routing Protocol, DVMRP, General Settings. Enable or disable DVMRP. Set the global parameters that control neighbor timeout, the exchange of routing information, or the prune lifetime, and click Apply. CLI – This sets the global parameters for DVMRP and displays the current settings.
CONFIGURING THE SWITCH (page 3-324), and also enable DVMRP for each interface that will participate in multicast routing. Command Attributes DVMRP Interface Information • Interface – VLAN interface on this router that has enabled DVMRP. • Address – IP address of this VLAN interface. • Metric – The metric for this interface used to calculate distance vectors. • Status – Shows that DVMRP is enabled on this interface. DVMRP Interface Settings • VLAN – Selects a VLAN interface on this router.
MULTICAST ROUTING Web – Click Routing Protocol, DVMRP, Interface Settings. Select a VLAN from the drop-down box under DVMRP Interface Settings, modify the Metric if required, set the Status to Enabled or Disabled, and click Apply. CLI – This example enables DVMRP and sets the metric for VLAN 1.
CONFIGURING THE SWITCH upstream neighbor. • Up time – The time since this device last became a DVMRP neighbor to this router. • Expire – The time remaining before this entry will be aged out. • Capabilities – A hexadecimal value that indicates the neighbor’s capabilities. Each time a probe message is received from a neighbor, the router compares the capabilities bits with the previous version for that neighbor to check for changes in neighbor capabilities. (Refer to DVMRP IETF Draft v3-10 section 3.2.
MULTICAST ROUTING CLI – This example displays the only neighboring DVMRP router. Console#show ip dvmrp neighbor3-201 Address Interface Uptime Expire Capabilities ---------------- --------------- -------- -------- ------------10.1.0.254 vlan1 79315 32 6 Console# Displaying the Routing Table The router learns source-routed information from neighboring DVMRP routers and also advertises learned routes to its neighbors. The router merely records path information it has learned on its own or from other routers.
CONFIGURING THE SWITCH • Expire – The time remaining before this entry will be aged out. Web – Click Routing Protocol, DVMRP, DVMRP Routing Table. CLI – This example displays known DVMRP routes. Console#show ip dvmrp route3-200 Source Mask Upstream_nbr Interface Metric UpTime Expire --------------- --------------- --------------- --------- ------ ----------10.1.0.0 255.255.255.0 10.1.0.253 vlan1 1 84438 0 10.1.1.0 255.255.255.0 10.1.1.253 vlan2 1 84987 0 10.1.8.0 255.255.255.0 10.1.0.
MULTICAST ROUTING same interface used for routing unicast packets to the multicast source network. If it is not, the router drops the packet and sends a prune message back out the source interface. If it is the same interface used by the unicast protocol, then the router forwards a copy of the packet to all the other interfaces for which is has not already received a prune message for this specific source-group pair.
CONFIGURING THE SWITCH CLI – This example enables PIM-DM globally and displays the current status. Console(config)#router pim3-203 Console#show router pim3-209 Admin Status: Enabled Console# Configuring PIM-DM Interface Settings To fully enable PIM-DM, you need to enable multicast routing globally for the router (page 3-319), enable PIM-DM globally for the router (page 3-335), and also enable PIM-DM for each interface that will participate in multicast routing.
MULTICAST ROUTING transmitted. Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree. (Range: 1-65535 seconds; Default: 30) • Hello Holdtime – Sets the interval to wait for hello messages from a neighboring PIM router before declaring it dead. Note that the hello holdtime should be 3.5 times the value of Hello Interval.
CONFIGURING THE SWITCH acknowledgement message is lost, the router that sent the graft message will resend it a maximum number of times as defined by Max Graft Retries. (Range: 1-65535 seconds; Default: 3) • Max Graft Retries – Configures the maximum number of times to resend a graft message if it has not been acknowledged. (Range: 1-65535; Default: 2) Web – Click Routing Protocol, PIM-DM, Interface Settings.
MULTICAST ROUTING CLI – This example sets the PIM-DM protocol parameters for VLAN 2, and displays the current settings.
CONFIGURING THE SWITCH Web – Click Routing Protocol, PIM-DM, Interface Information. CLI – This example shows the PIM-DM interface summary for VLAN 1. Console#show ip pim interface 13-210 Vlan 1 is up PIM is enabled, mode is Dense. Internet address is 10.1.0.253. Hello time interval is 30 sec, trigger hello time interval is 5 sec. Hello holdtime is 105 sec. Join/Prune holdtime is 210 sec. Graft retry interval is 3 sec, max graft retries is 2. DR Internet address is 10.1.0.253, neighbor count is 1.
MULTICAST ROUTING Web – Click Routing Protocol, PIM-DM, Neighbor Information. CLI – This example displays the only neighboring PIM-DM router. Console#show ip pim neighbor3-210 Address VLAN Interface Uptime Expire Mode --------------- ---------------- -------- -------- ------10.1.0.
CONFIGURING THE SWITCH 3-342
CHAPTER 4 COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
COMMAND LINE INTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SMC8612XL3 is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address.
USING THE COMMAND LINE INTERFACE After you configure the switch with an IP address, you can open a Telnet session by performing these steps: 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2. At the prompt, enter the user name and system password. The CLI will display the “Vty-0#” prompt for the administrator to show that you are using privileged access mode (i.e.
COMMAND LINE INTERFACE Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
ENTERING COMMANDS Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.” Getting Help on Commands You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list keywords or parameters.
COMMAND LINE INTERFACE Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, DHCP, Interface, Line, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
ENTERING COMMANDS The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.
COMMAND LINE INTERFACE Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
ENTERING COMMANDS console session with the user name and password “admin.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super” (page 3-37). To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the SMC8612XL3 is opened. To end the CLI session, enter [Exit].
COMMAND LINE INTERFACE packet filtering. • DHCP Configuration - These commands are used to configure the DHCP server. • Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. • Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. • Router Configuration - These commands configure global settings for unicast and multicast routing protocols.
ENTERING COMMANDS To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
COMMAND LINE INTERFACE Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
COMMAND GROUPS Command Groups The system commands can be broken down into the functional groups shown below.
COMMAND LINE INTERFACE Command Group Description Address Table Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time 3-33 Spanning Tree Configures Spanning Tree settings for the switch 3-38 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs and protocol VLANs 3-54 GVRP and Bridge Extension Configures GVRP settings that permit automatic VLAN learning; sho
LINE COMMANDS The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) PE (Privileged Exec) GC (Global Configuration) LC (Line Configuration) IC (Interface Configuration) VC (VLAN Database Configuration) MST (Multiple Spanning Tree) ACL (Access Control List Configuration) DC (DHCP Server Configuration) RC (Router Configuration) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
COMMAND LINE INTERFACE Command Function Mode Page disconnect Terminates a line connection PE 3-25 show line Displays a terminal line's parameters NE, PE 3-26 * These commands only apply to the serial port. line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
LINE COMMANDS Related Commands show line (3-26) show users (3-83) login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
COMMAND LINE INTERFACE • This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. Example Console(config-line)#login local Console(config-line)# Related Commands username (3-35) password (3-18) password This command specifies the password for a line. Use the no form to remove the password.
LINE COMMANDS password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
COMMAND LINE INTERFACE • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. Example To set the timeout to two minutes, enter this command: Console(config-line)#exec-timeout 120 Console(config-line)# password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value.
LINE COMMANDS Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands silent-time (3-21) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
COMMAND LINE INTERFACE databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
LINE COMMANDS parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
COMMAND LINE INTERFACE speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps, or auto) Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
LINE COMMANDS Syntax stopbits {1 | 2} • 1 - One stop bit • 2 - Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect Use this command to terminate an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
COMMAND LINE INTERFACE Related Commands show ssh (3-55) show users (3-83) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet).
GENERAL COMMANDS General Commands Command Function Mode Page enable Activates privileged mode NE 3-27 disable Returns to normal mode from privileged mode PE 3-28 configure Activates global configuration mode PE 3-29 show history Shows the command history buffer NE, PE 3-29 reload Restarts the system PE 3-30 end Returns to Privileged Exec mode any config.
COMMAND LINE INTERFACE Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 3-37.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
GENERAL COMMANDS Example Console#disable Console> Related Commands enable (3-27) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. See “Understanding Command Modes” on page 4-8.
COMMAND LINE INTERFACE Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
GENERAL COMMANDS command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue ? y end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
COMMAND LINE INTERFACE exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program.
SYSTEM MANAGEMENT COMMANDS Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
COMMAND LINE INTERFACE Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode GC 3-34 hostname Specifies the host name for the switch GC 3-34 snmp-server contact Sets the system contact string GC 3-148 snmp-server location Sets the system location string GC 3-149 prompt This command customizes the CLI prompt. Use the no form to restore the default prompt.
SYSTEM MANAGEMENT COMMANDS Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section.
COMMAND LINE INTERFACE Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive. Maximum users: 16) • access-level level - Specifies the user level. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. • nopassword - No password is required for this user to log in. • {0 | 7} - 0 means plain password, 7 means encrypted password.
SYSTEM MANAGEMENT COMMANDS Example This example shows how the set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
COMMAND LINE INTERFACE configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
SYSTEM MANAGEMENT COMMANDS Default Setting All addresses Command Mode Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively.
COMMAND LINE INTERFACE • all-client - Adds IP address(es) to the SNMP, web and Telnet groups. • http-client - Adds IP address(es) to the web group. • snmp-client - Adds IP address(es) to the SNMP group. • telnet-client - Adds IP address(es) to the Telnet group. Command Mode Global Configuration Example Console#show management all-client Management Ip Filter Http-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
SYSTEM MANAGEMENT COMMANDS Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC 3-41 ip http server Allows the switch to be monitored or configured from a browser GC 3-42 ip http secure-server Enables HTTPS/SSL for encrypted communications GC 3-42 ip http secure-port Specifies the UDP port number for HTTPS/SSL GC 3-44 ip http port This command specifies the TCP port number used by the web browser interface.
COMMAND LINE INTERFACE ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands ip http port (3-41) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e.
SYSTEM MANAGEMENT COMMANDS Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate.
COMMAND LINE INTERFACE copy tftp https-certificate (3-85) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS/SSL. (Range: 1-65535) Default Setting 443 Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
SYSTEM MANAGEMENT COMMANDS Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
COMMAND LINE INTERFACE Command Function Mode Page ip ssh crypto host-key generate Generates the host key PE 3-52 ip ssh crypto zeroize Clear the host key from RAM PE 3-53 ip ssh save host-key Saves the host key from RAM to flash memory PE 3-54 disconnect Terminates a line connection PE 3-25 show ip ssh Displays the status of the SSH server and the configured values for authentication timeout and retries PE 3-54 show ssh Displays the status of current SSH sessions PE 3-55 show publ
SYSTEM MANAGEMENT COMMANDS known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.
COMMAND LINE INTERFACE c. d. e. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client. The client uses its private key to decrypt the bytes, and sends the decrypted bytes back to the switch. The switch compares the decrypted bytes to the original bytes it sent. If the two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
SYSTEM MANAGEMENT COMMANDS Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (3-52) show ssh (3-55) ip ssh timeout Use this command to configure the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
COMMAND LINE INTERFACE Example Console(config)#ip ssh timeout 60 Console(config)# Related Commands exec-timeout (3-19) show ip ssh (3-54) ip ssh authentication-retries Use this command to configure the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
SYSTEM MANAGEMENT COMMANDS ip ssh server-key size Use this command to set the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) Default Setting 768 bits Command Mode Global Configuration Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits.
COMMAND LINE INTERFACE Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
SYSTEM MANAGEMENT COMMANDS Related Commands ip ssh crypto zeroize (3-53) ip ssh save host-key (3-54) ip ssh crypto zeroize Use this command to clear the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
COMMAND LINE INTERFACE ip ssh save host-key Use this command to save host key from RAM to flash memory. Syntax ip ssh save host-key [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Saves both the DSA and RSA key. Command Mode Privileged Exec Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (3-52) show ip ssh Use this command to display the connection settings used when authenticating client access to the SSH server.
SYSTEM MANAGEMENT COMMANDS show ssh Use this command to display the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.0 Session-Started Username Encryption admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state.
COMMAND LINE INTERFACE Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
SYSTEM MANAGEMENT COMMANDS Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. • When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
COMMAND LINE INTERFACE Event Logging Commands Command Function logging on Controls logging of error messages Mode Page GC 3-58 logging history Limits syslog messages saved to switch memory based on severity GC 3-59 logging host Adds a syslog server host IP address that will receive GC logging messages 3-60 logging facility Sets the facility type for remote logging of syslog messages GC 3-61 logging trap Limits syslog messages saved to a remote server based on severity GC 3-62 clear logg
SYSTEM MANAGEMENT COMMANDS Example Console(config)#logging on Console(config)# Related Commands logging history (3-59) clear logging (3-62) logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e.
COMMAND LINE INTERFACE • level - One of the level arguments listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Level Argument Level Description debugging 7 Debugging messages informational 6 Informational messages only notifications 5 Normal but significant condition, such as cold start warnings 4 Warning conditions (e.g., return false, unexpected return) errors 3 Error conditions (e.g.
SYSTEM MANAGEMENT COMMANDS Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages.
COMMAND LINE INTERFACE Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database. Example Console(config)#logging facility 19 Console(config)# logging trap This command limits syslog messages saved to a remote server based on severity.
SYSTEM MANAGEMENT COMMANDS Syntax clear logging [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear logging Console# Related Commands show logging (3-63) show logging This command displays the logging configuration, along with any system and event messages stored in memory.
COMMAND LINE INTERFACE Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “debugging” (i.e., default level 7 - 0), and lists one sample error. Console#show logging flash Syslog logging: Enable History logging in FLASH: level errors [0] 0:0:5 1/1/1 "PRI_MGR_InitDefault function fails." level: 3, module: 13, function: 0, and event no.
SYSTEM MANAGEMENT COMMANDS The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
COMMAND LINE INTERFACE Command Function Mode Page logging sendmail source-email Email address used for “From” field of alert messages GC 3-68 logging sendmail destination-email Email recipients of alert messages GC 3-68 logging sendmail Enables SMTP event handling GC 3-69 show logging sendmail Displays SMTP event handler settings NE, PE 3-70 logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
SYSTEM MANAGEMENT COMMANDS triggered if the switch cannot successfully open a connection.) Example Console(config)#logging sendmail host 192.168.1.19 Console(config)# logging sendmail level This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 3-59). Messages sent include the selected level down to level 0.
COMMAND LINE INTERFACE logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Syntax logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch.
SYSTEM MANAGEMENT COMMANDS Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
COMMAND LINE INTERFACE show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP source email address: bill@this-company.
SYSTEM MANAGEMENT COMMANDS Command Function Mode Page calendar set Sets the system date and time PE 3-76 show calendar Displays the current date and time setting NE, PE 3-77 sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests.
COMMAND LINE INTERFACE Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast Console# Related Commands sntp server (3-72) sntp poll (3-73) sntp broadcast client (3-74) show sntp (3-75) sntp server This command sets the IP address of the servers to which SNTP time requests are issued.
SYSTEM MANAGEMENT COMMANDS Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
COMMAND LINE INTERFACE Example Console(config)#sntp poll 60 Console# Related Commands sntp client (3-71) sntp broadcast client This command synchronizes the switch’s clock based on time broadcast from time servers (using the multicast address 224.0.1.1). Use the no form to disable SNTP broadcast client mode.
SYSTEM MANAGEMENT COMMANDS show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests (when the switch is set to SNTP client mode), and the current SNTP mode (i.e., client or broadcast).
COMMAND LINE INTERFACE Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
SYSTEM MANAGEMENT COMMANDS Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# show calendar This command displays the system clock.
COMMAND LINE INTERFACE System Status Commands Command Function show startup-config Displays the contents of the configuration file (stored PE in flash memory) that is used to start up the system Mode Page 3-78 show running-config Displays the configuration data currently in use PE 3-79 show system Displays system information NE, PE 3-82 show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet clients NE, PE 3-83 show version Displays
SYSTEM MANAGEMENT COMMANDS - VLAN database (VLAN ID, name and state) VLAN configuration settings for each interface Multiple spanning tree instances (name and interfaces) IP address configured for VLANs Routing protocol configuration settings Spanning tree settings Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait.....
COMMAND LINE INTERFACE Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
SYSTEM MANAGEMENT COMMANDS Example Console#show running-config building running-config, please wait.....
COMMAND LINE INTERFACE show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-14. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System description: SMC Networks SMC8612XL3 System OID string: 1.3.6.1.4.1.202.20.
SYSTEM MANAGEMENT COMMANDS show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
COMMAND LINE INTERFACE Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-16 for detailed information on the items displayed by this command. Example Console#show version Unit1 Serial number Hardware version Number of ports Main power status Redundant power status Agent (master) Unit ID Loader version Boot ROM version Operation code version Console# : A322043872 : R01 :12 :up :down : : : : 1 2.0.2.3 2.0.2.1 2.2.3.
FLASH/FILE COMMANDS to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields. • To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
COMMAND LINE INTERFACE success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection. Syntax copy file {file | running-config | startup-config | tftp} copy running-config {file | startup-config | tftp} copy startup-config {file | running-config | tftp} copy tftp {file | running-config | startup-config | https-certificate} • file - Keyword that allows you to copy to/from a file.
FLASH/FILE COMMANDS the factory default configuration file, but you cannot use it as the destination. • To replace the startup configuration, you must use startup-config as the destination. • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must use a direct console connection and access the download menu during a boot up to download the Boot ROM (or diagnostic) image. See “Upgrading Firmware via the Serial Port” on page B-1 for more details.
COMMAND LINE INTERFACE The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.
FLASH/FILE COMMANDS • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (3-89) dir This command displays a list of files in flash memory. Syntax dir [boot-rom | config | opcode [:filename]] The type of file or image to display includes: • • • • boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file.
COMMAND LINE INTERFACE • File information is shown below: Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
FLASH/FILE COMMANDS Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot file name file type startup size (byte) ----------------- -------------- ------- ----------diag_0060 Boot-Rom image Y 111360 run_0200 Operation Code Y 1083008 startup Config File Y 2710 Console# boot system This command specifies the file or image used to start up the system.
COMMAND LINE INTERFACE Example Console(config)#boot system config: startup Console(config)# Related Commands dir (3-89) whichboot (3-90) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1x.
AUTHENTICATION COMMANDS Authentication Sequence Command Function Mode Page authentication login Defines logon authentication method and precedence GC 3-93 authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. • tacacs - Use TACACS server password.
COMMAND LINE INTERFACE password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
AUTHENTICATION COMMANDS radius-server host This command specifies the RADIUS server. Use the no form to restore the default. Syntax radius-server host host_ip_address no radius-server host host_ip_address - IP address of server. Default Setting 10.1.0.1 Command Mode Global Configuration Example Console(config)#radius-server host 192.168.1.25 Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default.
COMMAND LINE INTERFACE Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
AUTHENTICATION COMMANDS Default Setting 2 Command Mode Global Configuration Example Console(config)#radius-server retransmit 5 Console(config)# radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
COMMAND LINE INTERFACE Command Mode Privileged Exec Example Console#show radius-server Server IP address: 10.1.0.1 Communication key with radius server: Server port number: 1812 Retransmit times: 2 Request timeout: 5 Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
AUTHENTICATION COMMANDS Default Setting 10.11.12.13 Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
COMMAND LINE INTERFACE Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 20 characters) Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server.
AUTHENTICATION COMMANDS Port Security Commands These commands can be used to disable the learning function or manually specify secure addresses for a port. You may want to leave port security off for an initial training period (i.e., enable the learning function) to register all the current VLAN members on the selected port, and then enable port security to ensure that the port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port.
COMMAND LINE INTERFACE Default Setting Status: Disabled Action: None Maximum Addresses: 0 Command Mode Interface Configuration (Ethernet) Command Usage • If you enable port security, the switch will stop dynamically learning new addresses on the specified port. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
AUTHENTICATION COMMANDS Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (3-9) mac-address-table static (3-34) show mac-address-table (3-35) 4-103
COMMAND LINE INTERFACE 802.1x Port Authentication The switch supports IEEE 802.1x (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
AUTHENTICATION COMMANDS Syntax authentication dot1x default radius no authentication dot1x Default Setting RADIUS Command Mode Global Configuration Example Console(config)#authentication dot1x default radius Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
COMMAND LINE INTERFACE count – The maximum number of requests (Range: 1-10) Default 2 Command Mode Global Configuration Example Console(config)#dot1x max-req 2 Console(config)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
AUTHENTICATION COMMANDS dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
COMMAND LINE INTERFACE - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication.
AUTHENTICATION COMMANDS Command Mode Global Configuration Example Console(config)#dot1x timeout quiet-period 350 Console(config)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
COMMAND LINE INTERFACE Default 30 seconds Command Mode Global Configuration Example Console(config)#dot1x timeout tx-period 300 Console(config)# show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.
AUTHENTICATION COMMANDS following global parameters which are set to a fixed value, including the following items: - supp-timeout – Supplicant timeout. - server-timeout– Server timeout. - reauth-max – Maximum number of reauthentication attempts. • 802.1X Port Summary – Displays the port access control parameters for each interface, including the following items: - Status – Administrative state for port access control. - Mode – Dot1x port control mode (page 3-106).
COMMAND LINE INTERFACE - State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters reauth-enabled: no reauth-period: 3600 quiet-period: 60 tx-period: 30 supp-timeout: 30 server-timeout: 10 reauth-max: 2 max-req: 2 802.1X Port Summary Port Name Status 1 disabled 2 disabled . . . 11 disabled 12 enabled Mode ForceAuthorized ForceAuthorized Authorized n/a n/a ForceAuthorized Auto yes yes 802.1X Port Details 802.1X is disabled on port 1 . . . 802.
ACCESS CONTROL LIST COMMANDS Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
COMMAND LINE INTERFACE • • • • • • • to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC ACL and Egress MAC ACL. When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. Each ACL can have up to 32 rules. The maximum number of ACLs is also 32. However, due to resource restrictions, the average number of rules bound the ports should not exceed 20.
ACCESS CONTROL LIST COMMANDS IP ACL, Egress IP ACL, Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four ACLs of the same type.
COMMAND LINE INTERFACE Command Function Mode Page show map access-list Shows CoS value mapped to an access list for an PE ip interface 3-12 9 match access-list ip Changes the 802.1p priority, IP Precedence, or DSCP Priority of a frame matching the defined rule (i.e., also called packet marking) IC 3-13 0 show marking Displays the current configuration for packet marking PE 3-13 1 access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs.
ACCESS CONTROL LIST COMMANDS • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules. Example Console(config)#access-list ip standard david Console(config-std-acl)# Related Commands permit, deny 3-117 ip access-group (3-127) show ip access-list (3-121) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source.
COMMAND LINE INTERFACE to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.
ACCESS CONTROL LIST COMMANDS • • • • • • • • • • • • • protocol-number – A specific protocol number. (Range: 0-255) source – Source IP address. destination – Destination IP address. address-bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-64) sport – Protocol* source port number.
COMMAND LINE INTERFACE - - • The control-code bitmask is a decimal number (representing an equivalent bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
ACCESS CONTROL LIST COMMANDS This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any tcp control-code 2 2 Console(config-ext-acl)# Related Commands access-list ip (3-116) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL.
COMMAND LINE INTERFACE Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs. Default Setting Default system mask: Filter inbound packets according to specified IP ACLs. Command Mode Global Configuration Command Usage • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e.
ACCESS CONTROL LIST COMMANDS Syntax [no] mask [protocol] {any | host | source-bitmask} {any | host | destination-bitmask} [precedence] [tos] [dscp] [source-port [port-bitmask]] [destination-port [port-bitmask]] [control-flag [flag-bitmask]] • • • • • • • • • • • • • protocol – Check the protocol field. any – Any address will be matched. host – The address must be for a host device, not a subnetwork. source-bitmask – Source address of rule must match this bitmask.
COMMAND LINE INTERFACE • First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. • If you enter dscp, you cannot enter tos or precedence. You can enter both tos and precedence without dscp. • Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes. Example This example creates an IP ingress mask with two rules.
ACCESS CONTROL LIST COMMANDS This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.
COMMAND LINE INTERFACE This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
ACCESS CONTROL LIST COMMANDS Command Mode Privileged Exec Example Console#show access-list ip mask-precedence IP ingress mask ACL: mask host any mask 255.255.255.0 any Console# Related Commands mask (IP ACL) (3-122) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets.
COMMAND LINE INTERFACE Example Console(config)#int eth 1/2 Console(config-if)#ip access-group standard david in Console(config-if)# Related Commands show ip access-list (3-121) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP standard access-list david Console# Related Commands ip access-group (3-127) map access-list ip This command sets the output queue for packets matching an ACL rule.
ACCESS CONTROL LIST COMMANDS Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage Command Usage • You must configure an ACL mask before you can map CoS values to the rule. • A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table. For information on mapping the CoS values to output queues, see queue cos-map on page 3-81.
COMMAND LINE INTERFACE • ethernet unit/port - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Example Console#show map access-list ip Access-list to COS of Eth 1/4 Access-list ALS1 cos 0 Console# Related Commands map access-list ip (3-128) match access-list ip This command changes the IEEE 802.1p priority, IP Precedence, or DSCP Priority of a frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.
ACCESS CONTROL LIST COMMANDS Command Mode Interface Configuration (Ethernet) Command Usage • You must configure an ACL mask before you can change frame priorities based on an ACL rule. • Traffic priorities may be included in the IEEE 802.1p priority tag. This tag is also incorporated as part of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority keywords. • The IP frame header also includes priority bits in the Type of Service (ToS) octet.
COMMAND LINE INTERFACE Example Console#show marking Interface ethernet 1/12 match access-list IP bill set DSCP 0 match access-list MAC a set priority 0 Console# Related Commands match access-list ip (3-130) 4-132
ACCESS CONTROL LIST COMMANDS MAC ACLs Command Function Mode Page access-list mac Creates a MAC ACL and enters configuration mode GC 3-13 3 permit, deny Filters packets matching a specified source and MAC-AC destination address, packet format, and Ethernet L type 3-13 4 show mac access-list Displays the rules for configured MAC ACLs PE 3-13 6 access-list mac mask-precedence Changes to the mode for configuring access control masks GC 3-13 7 mask Sets a precedence mask for the ACL rules MAC
COMMAND LINE INTERFACE acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • An egress ACL must contain all deny rules. • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
ACCESS CONTROL LIST COMMANDS [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] Note:- The default is for Ethernet II packets.
COMMAND LINE INTERFACE Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP - 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800.
ACCESS CONTROL LIST COMMANDS Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 3-134 mac access-group (3-142) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs.
COMMAND LINE INTERFACE Example Console(config)#access-list mac mask-precedence in Console(config-mac-mask-acl)# Related Commands mask (MAC ACL) (3-138) mac access-group (3-142) mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask.
ACCESS CONTROL LIST COMMANDS Command Usage • Up to seven masks can be assigned to an ingress or egress ACL. • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. • First create the required ACLs and inbound or outbound masks before mapping an ACL to an interface.
COMMAND LINE INTERFACE Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
ACCESS CONTROL LIST COMMANDS This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.
COMMAND LINE INTERFACE Related Commands mask (MAC ACL) (3-138) mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. • out – Indicates that this list applies to egress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
ACCESS CONTROL LIST COMMANDS show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (3-142) map access-list mac This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself.
COMMAND LINE INTERFACE the output queues as shown below. Priority 0 1 2 3 4 5 6 7 Queue 1 2 0 3 4 5 6 7 Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (3-81) show map access-list mac (3-144) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.
ACCESS CONTROL LIST COMMANDS Related Commands map access-list mac (3-143) match access-list mac This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-list mac acl_name set priority priority no match access-list mac acl_name • acl_name – Name of the ACL. (Maximum length: 16 characters) • priority – Class of Service value in the IEEE 802.
COMMAND LINE INTERFACE ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 3-14 6 show access-group Shows the ACLs assigned to each port PE 3-14 6 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
SNMP COMMANDS Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP standard access-list david MAC access-list jerry Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
COMMAND LINE INTERFACE Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) • ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. • rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
SNMP COMMANDS Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (3-149) snmp-server location This command sets the system location string. Use the no form to remove the location string.
COMMAND LINE INTERFACE Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (3-148) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [version {1 | 2c}] no snmp-server host host-addr • host-addr - Internet address of the host (the targeted recipient).
SNMP COMMANDS are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. • The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to specify which SNMP notifications are sent globally.
COMMAND LINE INTERFACE Default Setting Issue authentication and link-up-down traps. Command Mode Global Configuration Command Usage • If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled.
SNMP COMMANDS are allowed SNMP access to the switch. • subnet_mask - An address bitmask of decimal numbers that represent the address bits to match. Default Setting None Command Mode Global Configuration Command Usage • You can create a list of up to 16 IP addresses or IP address groups that are allowed access to the switch via SNMP management software. • Address bitmasks are similar to a subnet mask, containing four decimal integers from 0 to 255, each separated by a period.
COMMAND LINE INTERFACE show snmp This command checks the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1.
DHCP COMMANDS DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. You can configure any VLAN interface to be automatically assigned an IP address via DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network, or you can configure this switch to provide DHCP service directly to any client.
COMMAND LINE INTERFACE • hex - The hexadecimal value. Default Setting None Command Mode Interface Configuration (VLAN) Command Usage This command is used to include a client identifier in all communications with the DHCP server. The identifier type depends on the requirements of your DHCP server.
DHCP COMMANDS • If the BOOTP or DHCP server has been moved to a different domain, the network portion of the address provided to the client will be based on this new domain. Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart client Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: Dhcp.
COMMAND LINE INTERFACE Command Mode Interface Configuration (VLAN) Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server on another network.
DHCP COMMANDS Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server. (Range: 1-3 addresses) Default Setting None Command Mode Interface Configuration (VLAN) Usage Guidelines • You must specify the IP address for at least one DHCP server. Otherwise, the switch’s DHCP relay agent will not forward client requests to a DHCP server. • To start DHCP relay service, enter the ip dhcp restart relay command.
COMMAND LINE INTERFACE DHCP Server Command Function Mod Page e service dhcp Enables the DHCP server feature on this switch GC 3-16 1 ip dhcp excluded-address Specifies IP addresses that a DHCP server should not GC assign to DHCP clients 3-16 1 ip dhcp pool Configures a DHCP address pool on a DHCP Server GC 3-16 2 network Configures the subnet number and mask for a DHCP DC address pool 3-16 3 default-router Specifies the default router list for a DHCP client DC 3-16 4 domain-name Specifi
DHCP COMMANDS Command Function Mod Page e show ip dhcp binding Displays address bindings on the DHCP server PE, NE 3-17 5 *These commands are used for manually binding an address to a client. service dhcp Use this command to enable the DHCP server on this switch. Use the no form to disable the DHCP server.
COMMAND LINE INTERFACE • high-address - The last IP address in an excluded address range. Default Setting All IP pool addresses may be assigned. Command Mode Global Configuration Example Console(config)#ip dhcp excluded-address 10.1.0.19 Console(config)# ip dhcp pool Use this command to configure a DHCP address pool and enter DHCP Pool Configuration mode. Use the no form to remove the address pool. Syntax ip dhcp pool name no ip dhcp pool name name - A string or integer.
DHCP COMMANDS within the range of a configured network address pool. Example Console(config)#ip dhcp pool R&D Console(config-dhcp)# Related Commands network (3-163) host (3-170) network Use this command to configure the subnet number and mask for a DHCP address pool. Use the no form to remove the subnet number and mask. Syntax network network-number [mask] no network • network-number - The IP address of the DHCP address pool.
COMMAND LINE INTERFACE • This command is valid for DHCP network address pools only. If the mask is not specified, the class A, B, or C natural mask is used (see page 3-276). The DHCP server assumes that all host addresses are available. You can exclude subsets of the address space by using the ip dhcp excluded-address command. Example Console(config-dhcp)#network 10.1.0.0 255.255.255.0 Console(config-dhcp)# default-router Use this command to specify default routers for a DHCP pool.
DHCP COMMANDS domain-name Use this command to specify the domain name for a DHCP client. Use the no form to remove the domain name. Syntax domain-name domain no domain-name domain - Specifies the domain name of the client. (Range: 1-32 characters) Default Setting None Command Mode DHCP Pool Configuration Example Console(config-dhcp)#domain-name sample.com Console(config-dhcp)# dns-server Use this command to specify the Domain Name System (DNS) IP servers available to a DHCP client.
COMMAND LINE INTERFACE Command Mode DHCP Pool Configuration Usage Guidelines • If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses. • Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# next-server Use this command to configure the next server in the boot process of a DHCP client.
DHCP COMMANDS bootfile Use this command to specify the name of the default boot image for a DHCP client. This file should placed on the Trivial File Transfer Protocol (TFTP) server specified with the next-server command. Use the no form to delete the boot image name. Syntax bootfile filename no bootfile filename - Name of the file that is used as a default boot image. Default Setting None Command Mode DHCP Pool Configuration Example Console(config-dhcp)#bootfile wme.
COMMAND LINE INTERFACE • address2 - Specifies IP address of alternate NetBIOS WINS name server. Default Setting None Command Mode DHCP Pool Configuration Usage Guidelines Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#netbios-name-server 10.1.0.33 10.1.0.34 Console(config-dhcp)# Related Commands netbios-node-type (3-168) netbios-node-type Use this command to configure the NetBIOS node type for Microsoft DHCP clients.
DHCP COMMANDS Command Mode DHCP Pool Configuration Example Console(config-dhcp)#netbios-node-type hybrid Console(config-dhcp)# Related Commands netbios-name-server (3-167) 4-169
COMMAND LINE INTERFACE lease Use this command to configure the duration that an IP address is assigned to a DHCP client. Use the no form to restore the default value. Syntax lease {days [hours][minutes] | infinite} no lease • days - Specifies the duration of the lease in numbers of days. (Range: 0-364) • hours - Specifies the number of hours in the lease. A days value must be supplied before you can configure hours. (Range: 0-23) • minutes - Specifies the number of minutes in the lease.
DHCP COMMANDS Syntax host address [mask] no host • address - Specifies the IP address of a client. • mask - Specifies the network mask of the client.
COMMAND LINE INTERFACE Usage Guidelines • Host addresses must fall within the range specified for an existing network pool. • When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e.
DHCP COMMANDS Syntax client-identifier {text text | hex hex} no client-identifier • text - A text string. (Range: 1-15 characters) • hex - The hexadecimal value. Default Setting None Command Mode DHCP Pool Configuration Command Usage • This command identifies a DHCP client to bind to an address specified in the host command. If both a client identifier and hardware address are configured for a host address, the client identifier takes precedence over the hardware address in the search procedure.
COMMAND LINE INTERFACE Syntax hardware-address hardware-address type no hardware-address • hardware-address - Specifies the MAC address of the client device. • type - Indicates the following protocol used on the client device: - ethernet - ieee802 - fddi Default Setting If no type is specified, the default protocol is Ethernet. Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command.
DHCP COMMANDS • address - The address of the binding to clear. • * - Clears all automatic bindings. Default Setting None Command Mode Privileged Exec Usage Guidelines • An address specifies the client’s IP address. If an asterisk (*) is used as the address parameter, the DHCP server clears all automatic bindings. • Use the no host command to delete a manual binding. • This command is normally used after modifying the address pool, or after moving DHCP service to another device. Example.
COMMAND LINE INTERFACE Command Mode Normal Exec, Privileged Exec Example. Console#show ip dhcp binding IP MAC Lease Time Start --------------- ----------------- ------------ ----------192.1.3.21 00-00-e8-98-73-21 86400 Dec 25 08:01:57 2002 Console# DNS Commands These commands are used to configure Domain Naming System (DNS) services.
DNS COMMANDS Command Function Mod Page e show hosts Displays the static host name-to-address mapping table PE 3-18 3 show dns Displays the configuration for DNS services PE 3-18 4 show dns cache Displays entries in the DNS cache PE 3-18 4 clear dns cache Clears all entries from the DNS cache PE 3-18 5 ip host This command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to remove an entry.
COMMAND LINE INTERFACE Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} • name - Name of the host. (Range: 1-64 characters) • * - Removes all entries.
DNS COMMANDS with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-64 characters) Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.
COMMAND LINE INTERFACE Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-64 characters) Default Setting None Command Mode Global Configuration Command Usage • Domain names are added to the end of the list one at a time.
DNS COMMANDS Related Commands ip domain-name (3-178) ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] • server-address1 - IP address of domain-name server. • server-address2 … server-address6 - IP address of additional domain-name servers.
COMMAND LINE INTERFACE Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.
DNS COMMANDS Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (3-178) ip name-server (3-181) show hosts This command displays the static host name-to-address mapping table.
COMMAND LINE INTERFACE show dns This command displays the configuration of the DNS server. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
DNS COMMANDS Field Description FLAG The flag is always “4” indicating a cache entry and therefore unreliable. TYPE This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry. IP The IP address associated with this record. TTL The time to live reported by the name server. DOMAIN The domain name associated with this record.
COMMAND LINE INTERFACE 4-186
INTERFACE COMMANDS Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
Syntax interface interface no interface port-channel channel-id interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) • vlan vlan-id (Range: 1-4094) Default Setting None Command Mode Global Configuration Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description.
INTERFACE COMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Example The following example adds a description to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default.
Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
INTERFACE COMMANDS Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports.
• • • • 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.
INTERFACE COMMANDS flowcontrol (3-7) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Flow control enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.
Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (3-4) capabilities (flowcontrol, symmetric) (3-5) combo-forced-mode This command forces the port type selected for combination ports 8 - 12. Use the no form to restore the default mode.
INTERFACE COMMANDS Example This forces the switch to use the built-in RJ-45 port for the combination port 8. Console(config)#interface ethernet 1/8 Console(config-if)#combo-forced-mode copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
Syntax switchport broadcast packet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., packets per second. (Range: 500 - 262143) Default Setting Enabled for all ports Packet-rate limit: 500 packets per second Command Mode Interface Configuration (Ethernet) Command Usage • When broadcast traffic exceeds the specified threshold, packets above that threshold are dropped. • This command can enable or disable broadcast storm control for the selected interface.
INTERFACE COMMANDS - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 3-89.
INTERFACE COMMANDS show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1 Ether-like stats: Alignment errors: 0, FCS errors: 0 Single Collision frames: 0, Multiple collision frames: 0 SQE Test errors: 0, De
INTERFACE COMMANDS Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 4.
Field Description Priority for untagged Indicates the default priority for untagged frames (page 3-77). traffic Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 3-73). Allowed Vlan Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (page 3-62). Forbidden Vlan Shows the VLANs this interface can not dynamically join via GVRP (page 3-63).
MIRROR PORT COMMANDS Default Setting No mirror session is defined. When enabled, the default mirroring is for both received and transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
RATE LIMIT COMMANDS by the hardware to verify conformity. Non-conforming traffic is dropped, conforming traffic is forwarded without any changes. Command Function rate-limit Configures the maximum input or output rate for IC a port Mode Page 3-19 rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled.
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to six trunks.
LINK AGGREGATION COMMANDS • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch.
LINK AGGREGATION COMMANDS Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Current status: Created by: lacp Link status: Up Operation speed-duplex: 1000full Flow control type: None Member Ports: Eth1/10, Eth1/11, Eth1/12, Console# lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • • • actor - The local side an aggregate link. partner - The remote side of an aggregate link.
LINK AGGREGATION COMMANDS state, and will only take effect the next time an aggregate link is established with the partner. Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor system-priority 3 Console(config-if)# lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting.
• Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applys to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
LINK AGGREGATION COMMANDS that when the LAG is no longer used, the port channel admin key is reset to 0. Example Console(config)#interface port channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • • • actor - The local side an aggregate link. partner - The remote side of an aggregate link.
state, and will only take effect the next time an aggregate link is established with the partner. Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-6) counters - Statistics for LACP protocol messages.
LINK AGGREGATION COMMANDS Example Console#show 1 lacp counters Channel group : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . . Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group.
Console#show 1 lacp internal Channel group : 1 ------------------------------------------------------------------------Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation, long timeout, LACP-activity . . .
LINK AGGREGATION COMMANDS Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Console#show 1 lacp neighbors Channel group 1 neighbors ------------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------------Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0 Oper Key : 4 Admin State : defaulted, distributing, collecting, synchroniza
ADDRESS TABLE COMMANDS Console#show lacp sysid Channel group System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 Console# Field Description Channel group A link aggregation group configured on this switch. System Priority* LACP system priority for this channel group.
mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id • mac-address - MAC address. • interface • ethernet unit/port - unit - This is device 1. - port - Port number.
ADDRESS TABLE COMMANDS • Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. • A static address cannot be learned on another port until the address is removed with the no form of this command.
- port - Port number. • port-channel channel-id (Range: 1-6) • vlan-id - VLAN ID (Range: 1-4094) • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
ADDRESS TABLE COMMANDS Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-1000000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information. Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table.
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
SPANNING TREE COMMANDS spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
• stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
SPANNING TREE COMMANDS spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) -1]. Default Setting 2 seconds Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message.
SPANNING TREE COMMANDS Default Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. Example Console(config)#spanning-tree priority 40000 Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree.
SPANNING TREE COMMANDS Example Console(config)#spanning-tree pathcost method long Console(config)# spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds.
This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
SPANNING TREE COMMANDS the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port.
spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
SPANNING TREE COMMANDS spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding.
spanning-tree link-type This command configures the link type for Rapid Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
SPANNING TREE COMMANDS spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - This is device 1. - port - Port number.
• ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface.
SPANNING TREE COMMANDS Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.) :20 Root Forward Delay (sec.
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
VLAN COMMANDS Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
- suspend - VLAN is suspended. Suspended VLANs do not pass packets. Default Setting By default only VLAN 1 exists and is active. Command Mode VLAN Database Configuration Command Usage • • • • no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active). You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
VLAN COMMANDS Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN IC 3-57 switchport mode Configures VLAN membership mode for an interface IC 3-58 switchport Configures frame types to be accepted by an acceptable-frame-types interface IC 3-59 switchport ingress-filtering Enables ingress filtering on an interface IC 3-60 switchport native vlan Configures the PVID (native VLAN) of an interface IC 3-61 IC 3-62 sw
Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (3-9) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
VLAN COMMANDS Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# Related Commands switchport acceptable-frame-types (3-59) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default.
Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# Related Commands switchport mode (3-58) switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default.
VLAN COMMANDS Example The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add.
VLAN COMMANDS whether to keep or remove the tag from a frame on egress. • If none of the intermediate network devices nor the host at the other end of the connection supports VLANs, the interface should be added to these VLANs as an untagged member. Otherwise, it is only necessary to add at most one VLAN as untagged, and this should correspond to the native VLAN for the interface.
Command Usage • This command prevents a VLAN from being automatically added to the specified interface via GVRP. • If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface.
VLAN COMMANDS Default Setting Shows all VLANs.
Command Function Mode Page show protocol-vlan protocol-group Shows the configuration of protocol groups PE 3-68 show interfaces protocol-vlan protocol-group Shows the interfaces mapped to a protocol group and the corresponding VLAN PE 3-69 To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-55). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network.
VLAN COMMANDS rarp. Default Setting No protocol groups are configured.
Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 3-55), these interfaces will admit traffic of any protocol type into the associated VLAN. • When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: - If the frame is tagged, it will be processed according to the standard rules applied to tagged frames.
VLAN COMMANDS Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group ProtocolGroup ID Frame Type Protocol Type ------------------ ------------- --------------1 ethernet 08 00 Console# show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces.
Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID Vlan ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This section describes commands used to configure private VlANs.
GVRP AND BRIDGE EXTENSION COMMANDS Command Usage • A private VLAN provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the uplink port. • Private VLANs and normal VLANs can exist simultaneously within the same switch. • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN.
as how to display default configuration settings for the Bridge Extension MIB.
GVRP AND BRIDGE EXTENSION COMMANDS Example Console(config)#bridge-ext gvrp Console(config)# show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-154 and “Displaying Bridge Extension Capabilities” on page 3-18 for a description of the displayed items.
Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows both global and interface-specific configuration.
GVRP AND BRIDGE EXTENSION COMMANDS garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
successfully. Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (3-76) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows all GARP timers.
PRIORITY COMMANDS Related Commands garp timer (3-75) Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
for each interface, the relative weight of each queue, and the mapping of frame priority tags to the switch’s priority queues.
PRIORITY COMMANDS default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority. Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
PRIORITY COMMANDS queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 3 determines the weights used by the WRR scheduler. (Range: 1 - 15) Default Setting Weights 1, 2, 4, 6, 8, 10, 12, 14 are assigned to queues 0 - 7 respectively.
Syntax queue cos-map queue_id [cos1 ... cosn] no queue cos-map • queue_id - The ID of the priority queue. Ranges are 0 to 7, where 7 is the highest priority queue. • cos1 .. cosn - The CoS values that are mapped to the queue ID. It is a space-separated list of numbers. The CoS value is a number from 0 to 7, where 7 is the highest priority. Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port.
PRIORITY COMMANDS Example The following example shows how to change the CoS assignments to a one-to-one mapping: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1 Console(config-if)#queue cos-map 2 2 Console(config-if)#exit Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 0 1 2 3 4 5 6 7 Information of Eth 1/2 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 0 1 2 3 4 5 6 7 . . .
show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number.
PRIORITY COMMANDS Default Setting None Command Mode Privileged Exec Example Console#show queue Information of Eth CoS Value : 0 Priority Queue: 2 Console# cos-map ethernet 1/1 1/1 1 2 3 4 5 6 7 0 1 3 4 5 6 7 Priority Commands (Layer 3 and 4) Command Function Mod Page e map ip port Enables TCP/UDP class of service mapping GC 3-85 map ip port Maps TCP/UDP socket to a class of service IC 3-87 map ip precedence Enables IP precedence class of service mapping GC 3-88 map ip precedence Maps IP pr
Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
PRIORITY COMMANDS map ip port (Interface Configuration) Use this command to set IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.
map ip precedence (Global Configuration) This command enables IP precedence mapping (i.e., IP Type of Service). Use the no form to disable IP precedence mapping. Syntax [no] map ip precedence Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type.
PRIORITY COMMANDS Default Setting The list below shows the default priority mapping. IP Precedence Value 0 1 2 3 4 5 6 7 CoS Value 0 1 2 3 4 5 6 7 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence values are mapped to default Class of Service values on a one-to-one basis according to recommendations in the IEEE 802.
Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e.
PRIORITY COMMANDS 38, 40, 42 5 48 6 46, 56 7 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the eight hardware priority queues. • This command sets the IP DSCP priority for all interfaces.
Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --Eth 1/ 5 80 0 Console# Related Commands map ip port (Global Configuration) (3-85) map ip port (Interface Configuration) (3-87) show map ip precedence This command shows the IP precedence priority map.
PRIORITY COMMANDS Command Mode Privileged Exec Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --Eth 1/ 5 0 0 Eth 1/ 5 1 1 Eth 1/ 5 2 2 Eth 1/ 5 3 3 Eth 1/ 5 4 4 Eth 1/ 5 5 5 Eth 1/ 5 6 6 Eth 1/ 5 7 7 Console# Related Commands map ip precedence (Global Configuration) (3-88) map ip precedence (Interface Configuration) (3-88) show map ip dscp This command shows the IP DSCP priority map.
Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
MULTICAST FILTERING COMMANDS Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping GC 3-96 ip igmp snooping vlan static Adds an interface as a member of a multicast group GC 3-96 ip igmp snooping version Configures the IGMP version for snooping GC 3-97 show ip igmp snooping Shows the IGMP snooping and query configuration PE 3-98 show mac-address-table multicast PE 3-99 Shows the IGMP snooping MAC multicast list ip igmp snooping This command enables IGMP snooping on this switch.
MULTICAST FILTERING COMMANDS Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface • vlan-id - VLAN ID (Range: 1-4094) • ip-address - IP address for multicast group • interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.
Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version. If there are legacy devices in your network that only support Version 1, you will also have to configure this switch to use Version 1. • Some commands are only enabled for IGMPv2, including ip igmp query-max-response-time and ip igmp query-timeout.
MULTICAST FILTERING COMMANDS Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled Query count: 2 Query interval: 125 sec Query max response time: 10 sec Router port expire time: 300 sec IGMP snooping version: Version 2 Console# show mac-address-table multicast This command shows known multicast addresses.
Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.
MULTICAST FILTERING COMMANDS Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default.
Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (3-102) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
MULTICAST FILTERING COMMANDS Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-30) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client.
ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
MULTICAST FILTERING COMMANDS Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port GC 3-105 show ip igmp snooping Shows multicast router ports mrouter PE 3-106 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
Example The following shows how to configure port 11 as a multicast router port within VLAN 1: Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
MULTICAST FILTERING COMMANDS IGMP Commands (Layer 3) Command Function ip igmp Enables IGMP for the specified interface IC 3-107 ip igmp robustval Configures the expected packet loss IC 3-108 ip igmp query-interval Configures frequency for sending host query messages IC 3-109 ip igmp max-resp-interval Configures the maximum host response time IC 3-110 ip igmp Configures frequency for sending group-specific IC last-memb-query-interv host query messages al 3-111 ip igmp version Mode Page
Command Usage IGMP query can be enabled globally at Layer 2 via the ip igmp snooping command, or enabled for specific VLAN interfaces at Layer 3 via the ip igmp command. (Layer 2 query is disabled if Layer 3 query is enabled.
MULTICAST FILTERING COMMANDS Command Mode Interface Configuration (VLAN) Command Usage The robustness value is used in calculating the appropriate range for other IGMP variables, such as the Group Membership Interval (ip igmp last-memb-query-interval, page 3-111), as well as the Other Querier Present Interval, and the Startup Query Count (RFC 2236).
multicast routing protocol that runs on the LAN. But for IGMP Version 2, the designated querier is the lowest IP-addressed multicast router on the subnet. Example The following shows how to configure the query interval to 100 seconds: Console(config-if)#ip igmp query-interval 100 Console(config-if)# ip igmp max-resp-interval Use this command to configure the maximum response time advertised in IGMP queries. Use the no form of this command to restore the default.
MULTICAST FILTERING COMMANDS • The number of seconds represented by the maximum response interval must be less than the Query Interval (page 3-109). Example The following shows how to configure the maximum response time to 20 seconds: Console(config-if)#ip igmp max-resp-interval 20 Console(config-if)# Related Commands ip igmp version (3-112) ip igmp query-interval (3-109) ip igmp last-memb-query-interval Use this command to configure the last member query interval.
reduced value results in reduced time to detect the loss of the last member of a group. Example The following shows how to configure the maximum response time to 10 seconds: Console(config-if)#ip igmp last-memb-query-interval 10 Console(config-if)# ip igmp version Use this command to configure the IGMP version used on an interface. Use the no form of this command to restore the default.
MULTICAST FILTERING COMMANDS Example The following configures the switch to use IGMP Version 1 on the selected interface: Console(config-if)#ip igmp version 1 Console(config-if)# show ip igmp interface Use this command to show the IGMP configuration for a specific VLAN interface or for all interfaces.
Syntax clear ip igmp group [group-address | interface vlan vlan-id] • group-address - IP address of the multicast group. • vlan-id - VLAN ID (Range: 1-4094) Default Setting Deletes all entries in the cache if no options are selected. Command Mode Privileged Exec Command Usage Enter the address for a multicast group to delete all entries for the specified group. Enter the interface option to delete all multicast groups for the specified interface.
MULTICAST FILTERING COMMANDS Command Mode Normal Exec, Privileged Exec Command Usage • This command displays information for multicast groups learned via IGMP, not static groups. • If the switch receives an IGMP Version 1 Membership Report, it sets a timer to note that there are Version 1 hosts present which are members of the group for which it heard the report. • If there are Version 1 hosts present for a particular group, the switch will ignore any Leave Group messages that it receives for that group.
IP Interface Commands There are no IP addresses assigned to this router by default. You must manually configure a new address to manage the router over your network or to connect the router to existing IP subnets. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment (if routing is not enabled). This section includes commands for configuring IP interfaces, the Address Resolution Protocol (ARP) and Proxy ARP.
IP INTERFACE COMMANDS Syntax ip address {ip-address netmask | bootp | dhcp} [secondary] no ip address • ip-address - IP address • netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. • bootp - Obtains IP address from BOOTP. • dhcp - Obtains IP address from DHCP. • secondary - Specifies a secondary IP address. Default Setting IP address: 0.0.0.0 Netmask: 255.0.0.
Anything outside this format will not be accepted by the configuration program. • An interface can have only one primary IP address, but can have many secondary IP addresses. In other words, you will need to specify secondary addresses if more than one IP subnet can be accessed via this interface. • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received.
IP INTERFACE COMMANDS Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established. Command Mode Global Configuration Command Usage • The gateway specified in this command is only valid if routing is disabled with the no ip routing command. If IP routing is disabled, you must define a gateway if the target device is located in a different subnet.
Example Console#show ip interface Vlan 1 is up, addressing mode is User Interface address is 10.1.0.254, mask is 255.255.255.0, Primary MTU is 1500 bytes Proxy ARP is disabled Split horizon is enabled Console# Related Commands show ip redirects (3-120) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.
IP INTERFACE COMMANDS • size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting This command has no default for the host. Command Mode Normal Exec, Privileged Exec Command Usage • Use the ping command to see if another site on the network can be reached.
Address Resolution Protocol (ARP) Command Function Mode Page arp Adds a static entry in the ARP cache GC 3-12 2 arp-timeout Sets the time a dynamic entry remains in the ARP cache GC 3-12 3 clear arp-cache Deletes all dynamic entries from the ARP cache PE 3-12 4 show arp Displays entries in the ARP cache NE, PE 3-12 4 ip proxy-arp Enables proxy ARP service VC 3-12 5 arp Use this command to add a static entry in the Address Resolution Protocol (ARP) cache.
IP INTERFACE COMMANDS 128. • You may need to enter a static entry in the cache if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out. Example Console(config)#arp 10.1.0.19 01-02-03-04-05-06 Console(config)# Related Commands clear arp-cache show arp arp-timeout Use this command to set the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache.
clear arp-cache Use this command to delete all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# show arp Use this command to display entries in the Address Resolution Protocol (ARP) cache.
IP INTERFACE COMMANDS Example This example displays all entries in the ARP cache. Console#show arp Arp cache timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.254 10.1.0.255 123.20.10.123 345.30.20.
IP Routing Commands After you configure network interfaces for this router, you must set the paths used to send traffic between different interfaces. If you enable routing on this device, traffic will automatically be forwarded between all of the local subnetworks.
IP ROUTING COMMANDS Global Routing Configuration Command Function Mod Page e ip routing Enables static and dynamic IP routing GC 3-12 7 ip route Configures static routes GC 3-12 8 clear ip route Deletes specified entries from the routing table PE 3-12 9 show ip route Displays specified entries in the routing table PE 3-12 9 show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP PE protocols 3-13 0 ip routing Use this command to enable IP routing.
Example Console(config)#ip routing Console(config)# ip route Use this command to configure static routes. Use the no form to remove static routes. Syntax ip route {destination-ip netmask | default} {gateway} [metric metric] no ip route {destination-ip netmask | default | *} • destination-ip – IP address of the destination network, subnetwork, or host. • netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
IP ROUTING COMMANDS clear ip route Use this command to remove dynamically learned entries from the IP routing table. Syntax clear ip route {network [netmask] | *} • network – Network or subnet address. • netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. • * – Removes all dynamic routing table entries. Command Mode Privileged Exec Command Usage • This command only clears dynamically learned routes.
Command Usage If the address is specified without the netmask parameter, the router displays all routes for the corresponding natural class address (page 3-134). Example Console#show ip route Ip Address Netmask Next Hop Protocol Metric Interface --------------- --------------- --------------- ---------- ------ --------0.0.0.0 0.0.0.0 10.2.48.102 static 0 1 10.2.48.2 255.255.252.0 10.2.48.16 local 0 1 10.2.5.6 255.255.255.0 10.2.8.12 RIP 1 2 10.3.9.1 255.255.255.0 10.2.9.
IP ROUTING COMMANDS Example Console#show ip traffic IP statistics: Rcvd: 5 total, 5 local destination 0 checksum errors 0 unknown protocol, 0 not a gateway Frags: 0 reassembled, 0 timeouts 0 fragmented, 0 couldn't fragment Sent: 9 generated 0 no route ICMP statistics: Rcvd: 0 checksum errors, 0 redirects, 0 unreachable, 0 echo 5 echo reply, 0 mask requests, 0 mask replies, 0 quench 0 parameter, 0 timestamp Sent: 0 redirects, 0 unreachable, 0 echo, 0 echo reply 0 mask requests, 0 mask replies, 0 quench, 0 ti
Command Function Mod Page e ip rip send version Sets the RIP send version to use on a network interface IC 3-13 8 ip split-horizon Enables split-horizon or poison-reverse loop prevention IC 3-13 9 ip rip authentication Enables authentication for RIP2 packets and specifies IC key keys 3-14 0 ip rip authentication Specifies the type of authentication used for RIP2 mode packets IC 3-14 1 show rip globals Displays global configuration settings and statistics for PE RIP 3-14 2 show ip rip Disp
IP ROUTING COMMANDS Related Commands network (3-134) timers basic Use this command to configure the RIP update timer, timeout timer, and garbage- collection timer. Use the no form to restore the defaults. Syntax timers basic update-seconds no timers basic update-seconds – Sets the update timer to the specified value, sets the timeout time value to 6 times the update time, and sets the garbagecollection timer to 4 times the update time.
network. Example This example sets the update timer to 40 seconds. The timeout timer is subsequently set to 240 seconds, and the garbage-collection timer to 160 seconds. Console(config-router)#timers basic 15 Console(config-router)# network Use this command to specify the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. Syntax network subnet-address no network subnet-address subnet-address – IP address of a network directly connected to this router.
IP ROUTING COMMANDS Example This example includes network interface 10.1.0.0 in the RIP routing process. Console(config-router)#network 10.1.0.0 Console(config-router)# Related Commands router rip (3-132) neighbor Use this command to define a neighboring router with which this router will exchange routing information. Use the no form to remove an entry. Syntax neighbor ip-address no neighbor ip-address ip-address - IP address to map to a specified hardware address.
Syntax version {1 | 2} no version • 1 - RIP Version 1 • 2 - RIP Version 2 Command Mode Router Configuration Default Setting RIP Version 1 Command Usage • When this command is used to specify a global RIP version, any VLAN interface not previously set by the ip rip receive version or ip rip send version command will be set to the following values: - RIP Version 1 configures the unset interfaces to send RIPv1 compatible protocol messages and receive either RIPv1 or RIPv2 protocol messages.
IP ROUTING COMMANDS ip rip receive version Use this command to specify a RIP version to receive on an interface. Use the no form to restore the default value. Syntax ip rip receive version {none | 1 | 2 | 1 2} no ip rip receive version • • • • none - Does not accept incoming RIP packets. 1 - Accepts only RIPv1 packets. 2 - Accepts only RIPv2 packets.
Example This example sets the interface version for VLAN 1 to receive RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip receive version 1 Console(config-if)# Related Commands version (3-135) ip rip send version Use this command to specify a RIP version to send on an interface. Use the no form to restore the default value. Syntax ip rip send version {none | 1 | 2 | v2-broadcast} no ip rip send version • • • • none - Does not transmit RIP updates. 1 - Sends only RIPv1 packets.
IP ROUTING COMMANDS - Use “none” to passively monitor route information advertised by other routers attached to the network. - Use “1” or “2” if all routers in the local network are based on RIPv1 or RIPv2, respectively. - Use “v2-broadcast” to propagate route information by broadcasting to other routers on the network using RIPv2, instead of multicasting as normally required by RIPv2.
Command Usage • Split horizon never propagates routes back to an interface from which they have been acquired. • Poison reverse propagates routes back to an interface port from which they have been acquired, but sets the distance-vector metrics to infinity. (This provides faster convergence.) Example This example propagates routes back to the source using poison-reverse.
IP ROUTING COMMANDS Example This example sets an authentication password of “small” to verify incoming routing messages and to tag outgoing routing messages. Console(config)#interface vlan 1 Console(config-if)#ip rip authentication key small Console(config-if)# Related Commands ip rip authentication mode (3-141) ip rip authentication mode Use this command to specify the type of authentication that can be used on an interface. Note that the current firmware version only supports a simple password.
Example This example sets the authentication mode to plain text. Console(config)#interface vlan 1 Console(config-if)#ip rip authentication mode text Console(config-if)# Related Commands ip rip authentication key (3-140) show rip globals Use this command to display global configuration settings for RIP.
IP ROUTING COMMANDS show ip rip Use this command to display information about interfaces configured for RIP. Syntax show ip rip {configuration | status | peer} • configuration - Shows RIP configuration settings for each interface. • status - Shows the status of routing messages on each interface.
Field Description SendMode RIP version sent on this interface (none, RIPv1, RIPv2, or RIPv2-broadcast) ReceiveMode RIP version received on this interface (none, RIPv1, RIPv2, RIPv1 or RIPv2) Poison Shows if split-horizon, poison-reverse, or no protocol message loopback prevention method is in use. Authentication Shows if authentication is set to simple password or none. show ip rip status Interface IP address of the interface. RcvBadPackets Number of bad RIP packets received.
IP ROUTING COMMANDS Command Function Mod Page e Route Metrics and Summaries area range Summarizes routes advertised by an ABR RC 3-15 1 area default-cost Sets the cost for a default summary route sent into a stub or NSSA RC 3-15 2 summary-address Summarizes routes advertised by an ASBR RC 3-15 3 redistribute Redistribute routes from one routing domain to another RC 3-15 4 network area Assigns specified interface to an area RC 3-15 5 area stub Defines a stubby area that cannot send or
Command Function Mod Page e ip ospf retransmit-interval Specifies the time between resending a link-state advertisement IC 3-16 9 ip ospf transmit-delay Estimates time to send a link-state update packet over IC an interface 3-16 9 show ip ospf Displays general information about the routing processes PE 3-17 0 show ip ospf border-routers Displays routing table entries for Area Border Routers PE (ABR) and Autonomous System Boundary Routers (ASBR) 3-17 1 show ip ospf database Shows informatio
IP ROUTING COMMANDS Command Usage • OSPF is used to specify how routers exchange routing table information. • This command is also used to enter router configuration mode. Example Console(config)#router ospf Console(config-router)# Related Commands network area (3-155) router-id Use this command to assign a unique router ID for this device within the autonomous system. Use the no form to use the default router identification method (i.e., the lowest interface address).
• If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal, the router with the highest ID is elected. Example Console(config-router)#router-id 10.1.1.1 Console(config-router)# Related Commands router ospf (3-146) compatible rfc1583 Use this command to calculate summary route costs using RFC 1583 (OSPFv1). Use the no form to calculate costs using RFC 2328 (OSPFv2).
IP ROUTING COMMANDS default-information originate Use this command to generate a default external route into an autonomous system. Use the no form to disable this feature. Syntax default-information originate [always] [metric interface-metric] [metric-type metric-type] no default-information originate • always - Always advertise a default route to the local AS regardless of whether the router has a default route. (See “ip route” on page 3-128.) • interface-metric - Metric assigned to the default route.
used to import external routes via RIP or static routing, and such a route is known. • Type 1 route advertisements add the internal cost to the external route metric. Type 2 routes do not add the internal cost metric. When comparing Type 2 routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost. Example This example assigns a metric of 20 to the default external route advertised into an autonomous system, sending it as a Type 2 external metric.
IP ROUTING COMMANDS • Using a low value allows the router to switch to a new path faster, but uses more CPU processing time. Example Console(config-router)#timers spf 20 Console(config-router)# area range Use this command to summarize the routes advertised by an Area Border Router (ABR). Use the no form to disable this function.
Example This example creates a summary address for all area routes in the range of 10.2.x.x. Console(config-router)#area 10.2.0.0 range 10.2.0.0 255.255.0.0 advertise Console(config-router)# area default-cost Use this command to specify a cost for the default summary route sent into a stub or not-so-stubby area (NSSA) from an Area Border Router (ABR). Use the no form to remove the assigned default cost.
IP ROUTING COMMANDS summary-address Use this command to aggregate routes learned from other protocols. Use the no form to remove a summary address. Syntax summary-address summary-address netmask no summary-address summary-address netmask • summary-address - Summary address covering a range of addresses. • netmask - Network mask for the summary route.
redistribute Use this command to import external routing information from other routing domains (i.e., protocols) into the autonomous system. Use the no form to disable this feature. Syntax redistribute [rip | static] [metric metric-value] [metric-type type-value] no redistribute [rip | static] [metric metric-value] [metric-type type-value] • rip - External routes will be imported from the Routing Information Protocol into this Autonomous System.
IP ROUTING COMMANDS • Metric type specifies the way to advertise routes to destinations outside the AS via External LSAs. Specify Type 1 to add the internal cost metric to the external route metric. In other words, the cost of the route from any router within the AS is equal to the cost associated with reaching the advertising ASBR, plus the cost of the external route. Specify Type 2 to only advertise the external route metric.
Command Usage • An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router must be connected to the backbone via a direct connection or a virtual link. • Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area.
IP ROUTING COMMANDS • area-id - Identifies the stub area. (The area ID must be in the form of an IP address.) • summary - Makes an Area Border Router (ABR) send a summary link advertisement into the stub area. (Default: no summary) Command Mode Router Configuration Default Setting No stub is configured. Command Usage • All routers in a stub must be configured with the same area ID. • Routing table space is saved in a stub by blocking Type-4 AS summary LSAs and Type 5 external LSAs.
area nssa Use this command to define a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords. To remove an optional attribute, use the no form without the relevant keyword. Syntax area area-id nssa [no-redistribution] [default-information-originate] no area area-id nssa [no-redistribution] [default-information-originate] • area-id - Identifies the NSSA. (The area ID must be in the form of an IP address.
IP ROUTING COMMANDS • • • • import a default external AS route (for routing protocol domains adjacent to the NSSA but not within the OSPF AS) into the NSSA using the default-information-originate keyword. External routes advertised into an NSSA can include network destinations outside the AS learned via OSPF, the default route, static routes, routes imported from other routing protocols such as RIP, and networks directly connected to the router that are not running OSPF.
area virtual-link Use this command to define a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
IP ROUTING COMMANDS • retransmit-interval seconds - Specifies the interval at which the ABR retransmits link-state advertisements (LSA) over the virtual link. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. However, note that this value should be larger for virtual links.
Default Setting area-id: None router-id: None hello-interval: 10 seconds retransmit-interval: 5 seconds transmit-delay: 1 second dead-interval: 40 seconds authentication-key: None message-digest-key: None Command Usage • All areas must be connected to a backbone area (0.0.0.0) to maintain routing connectivity throughout the autonomous system. If it not possible to physically connect an area to the backbone, you can use a virtual link.
IP ROUTING COMMANDS ip ospf authentication Use this command to specify the authentication type used for an interface. Enter this command without any optional parameters to specify plain text (or simple password) authentication. Use the no form to restore the default of no authentication. Syntax ip ospf authentication [message-digest | null] no ip ospf authentication • message-digest - Specifies message-digest (MD5) authentication. • null - Indicates that no authentication is used.
ip ospf authentication-key Use this command to assign a simple password to be used by neighboring routers. Use the no form to remove the password. Syntax ip ospf authentication-key key no ip ospf authentication-key key - Sets a plain text password. (Range: 1-8 characters) Command Mode Interface Configuration (VLAN) Default Setting No password Command Usage • Before specifying plain-text password authentication for an interface, configure a password with the ip ospf authentication-key command.
IP ROUTING COMMANDS ip ospf message-digest-key Use this command to enable message-digest (MD5) authentication on the specified interface and to assign a key-id and key to be used by neighboring routers. Use the no form to remove an existing key. Syntax ip ospf message-digest-key key-id md5 key no ip ospf message-digest-key key-id • key-id - Index number of an MD5 key. (Range: 1-255) • key - Alphanumeric password used to generate a 128 bit message digest or “fingerprint.
Related Commands ip ospf authentication (3-163) ip ospf cost Use this command to explicitly set the cost of sending a packet on an interface. Use the no form to restore the default value. Syntax ip ospf cost cost no ip ospf cost cost - Link metric for this interface. Use higher values to indicate slower ports. (Range: 1-65535) Command Mode Interface Configuration (VLAN) Default Setting 1 Command Usage Interface cost reflects the port speed. This router uses a default cost of 1 for all ports.
IP ROUTING COMMANDS seconds - The maximum time that neighbor routers can wait for a hello packet before declaring the transmitting router down. This interval must be set to the same value for all routers on the network. (Range: 1-65535) Command Mode Interface Configuration (VLAN) Default Setting 40, or four times the interval specified by the ip ospf hello-interval command.
Example Console(config)#interface vlan 1 Console(config-if)#ip ospf hello-interval 5 Console(config-if)# ip ospf priority Use this command to set the router priority used when determining the designated router (DR) and backup designated router (BDR) for an area. Use the no form to restore the default value. Syntax ip ospf priority priority no ip ospf priority priority - Sets the interface priority for this router.
IP ROUTING COMMANDS ip ospf retransmit-interval Use this command to specify the time between resending link-state advertisements (LSAs). Use the no form to restore the default value. Syntax ip ospf retransmit-interval seconds no ip ospf retransmit-interval seconds - Sets the interval at which LSAs are retransmitted from this interface.
Command Mode Interface Configuration (VLAN) Default Setting 1 second Command Usage LSAs have their age incremented by this delay before transmission. When estimating the transmit delay, consider both the transmission and propagation delays for an interface. Set the transmit delay according to link speed, using larger values for lower-speed links. The transmit delay must be the same for all routers attached to an autonomous system.
IP ROUTING COMMANDS Field Description Routing Process with ID Router ID Supports only single TOS (TOS0) Type of service is not supported, so you can only route assign one cost per interface It is an router type The types displayed include internal, area border, or autonomous system boundary routers Number of areas in this router The number of configured areas Area identifier The area address, and area type if backbone, NSSA or stub Number of interfaces The number of interfaces attached to this ar
Field Description Area The area from which this route was learned SPF No The number of times the shortest path first algorithm has been executed for this route show ip ospf database Use this command to show information about different OSPF Link State Advertisements (LSAs) stored in this router’s database.
IP ROUTING COMMANDS • • • • • • • - An IP network number for Type 3 Summary and External LSAs - A Router ID for Router, Network, and Type 4 AS Summary LSAs Also, note that when an Type 5 ASBR External LSA is describing a default route, its link-state-id is set to the default destination (0.0.0.0). self-originate - Shows LSAs originated by this router. database-summary - Shows a count for each LSA type for each area stored in the database, and the total number of LSAs in the database.
The following shows output when using the asbr-summary keyword. Console#show ip ospf database asbr-summary OSPF Router with id(10.1.1.253) Displaying Summary ASB Link States(Area 0.0.0.0) LS age: 433 Options: (No TOS-capability) LS Type: Summary Links (AS Boundary Router) Link State ID: 192.168.5.1 (AS Boundary Router's Router ID) Advertising Router: 192.168.1.5 LS Sequence Number: 80000002 LS Checksum: 0x51E2 Length: 32 Network Mask: 255.255.255.
IP ROUTING COMMANDS The following shows output when using the database-summary keyword. Console#show ip ospf database database-summary Area ID (10.1.0.
The following shows output when using the external keyword. Console#show ip ospf database external OSPF Router with id(192.168.5.1) (Autonomous system 5) Displaying AS External Link States LS age: 433 Options: (No TOS-capability) LS Type: AS External Link Link State ID: 10.1.1.253 (External Network Number) Advertising Router: 10.1.2.254 LS Sequence Number: 80000002 LS Checksum: 0x51E2 Length: 32 Network Mask: 255.255.0.0 Metric Type: 2 (Larger than any link state path) Metric: 1 Forward Address: 0.0.0.
IP ROUTING COMMANDS Field Description Forward Address Forwarding address for data to be passed to the advertised destination (If set to 0.0.0.0, data is forwarded to the originator of the advertisement) External Route Tag 32-bit field attached to each external route (Not used by OSPF; may be used to communicate other information between boundary routers as defined by specific applications) The following shows output when using the network keyword.
Field Description LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs) LS Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Network Mask Address mask for the network Attached Router List of routers attached to the network; i.e., fully adjacent to the designated router, including the designated router itself The following shows output when using the router keyword. Console#show ip ospf database router OSPF Router with id(10.1.1.
IP ROUTING COMMANDS Field Description Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs) LS Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Router Role Description of router type, including: None, AS Boundary Router, Area Border Router, or Virtual Link Number of Links Number of links described by the LSA Link ID Link
The following shows output when using the summary keyword. Console#show ip ospf database summary OSPF Router with id(10.1.1.253) Displaying Summary Net Link States(Area 10.1.0.0) Link State Data Summary (Type 3) ------------------------------LS age: 686 Options: Support External routing capability LS Type: Summary Links(Network) Link State ID: 10.2.6.0 (The destination Summary Network Number) Advertising Router: 10.1.1.252 LS Sequence Number: 80000003 LS Checksum: 0x3D02 Length: 28 Network Mask: 255.255.
IP ROUTING COMMANDS show ip ospf interface Use this command to display summary information for OSPF interfaces. Syntax show ip ospf interface [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Command Mode Privileged Exec Example Console#show ip ospf interface vlan 1 Vlan 1 is up Interface Address 10.1.1.253, Mask 255.255.255.0, Area 10.1.0.0 Router ID 10.1.1.253, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router id 10.1.1.252, Interface address 10.1.1.
Field Description State • Disabled – OSPF not enabled on this interface • Down – OSPF is enabled on this interface, but interface is down • Loopback – This is a loopback interface • Waiting – Router is trying to find the DR and BDR • DR – Designated Router • BDR – Backup Designated Router • DRother – Interface is on a multiaccess network, but is not the DR or BDR Priority Router priority Designated Router Designated router ID and respective interface address Backup Designated Router Backup designat
IP ROUTING COMMANDS Field Description State OSPF state and identification flag States include: Down – Connection down Attempt – Connection down, but attempting contact (for non-broadcast networks) Init – Have received Hello packet, but communications not yet established Two-way – Bidirectional communications established ExStart – Initializing adjacency between neighbors Exchange – Database descriptions being exchanged Loading – LSA databases being exchanged Full – Neighboring routers now fully adjacent I
show ip ospf virtual-links Use this command to display detailed information about virtual links. Syntax show ip ospf virtual-links Command Mode Privileged Exec Example Console#show ip ospf virtual-links Virtual Link to router 10.1.1.253 is up Transit area 10.1.1.
MULTICAST ROUTING COMMANDS Multicast routers use snooping and query messages, along with a multicast routing protocol to deliver IP multicast packets across different subnetworks. This router supports both the Distance-Vector Multicast Routing Protocol (DVMRP) and Protocol Independent Multicasting (PIM). (Note that you should enable IGMP for any interface that is using multicast routing.
• interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting No static multicast router ports are configured. Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier.
MULTICAST ROUTING COMMANDS Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic.
Command Mode Global Configuration Command Usage This command is used to enable multicast routing globally for the router. You also need to globally enable a specific multicast routing protocol using the router dvmrp or router pim command, and then specify the interfaces that will support multicast routing using the ip dvmrp or ip pim dense-mode commands. Example Console(config)#ip multicast-routing Console(config)# show ip mroute Use this command to display the IP multicast routing table.
MULTICAST ROUTING COMMANDS and source pair, detailed information is displayed only for the specified entry. If the summary option is selected, an abbreviated list of information for each entry is displayed on a single line. Example This example shows detailed multicast information for a specified group/ source pair Console#show ip mroute 224.0.255.3 192.111.46.8 IP Multicast Forwarding is enabled. IP Multicast Routing Table Flags: P - Prune, F - Forwarding (192.111.46.0, 255.255.255.0, 224.0.255.
This example lists all entries in the multicast table in summary form: Console#show ip mroute summary IP Multicast Forwarding is enabled. IP Multicast Routing Table (Summary) Flags: P - Prune UP Group Source Source Mask Interface Owner Flags --------------- --------------- --------------- ---------- ------- -----224.1.1.1 10.1.0.0 255.255.0.0 vlan1 DVMRP P 224.2.2.2 10.1.0.0 255.255.0.
MULTICAST ROUTING COMMANDS DVMRP Multicast Routing Commands Command Function Mode Page router dvmrp Enables DVMRP and enters router configuration mode GC 3-191 probe-interval Sets the interval for sending neighbor probe messages RC 3-192 nbr-timeout Sets the delay before declaring an attached neighbor router down RC 3-193 report-interval Sets the interval for propagating the complete set RC of routing tables to other neighbor routers 3-194 flash-update-interval Sets the interval for sendi
Syntax router dvmrp no router dvmrp Command Mode Global Configuration Command Usage This command enables DVMRP globally for the router and enters router configuration mode. Make any changes necessary to the global DVMRP parameters. Then specify the interfaces that will support DVMRP multicast routing using the ip dvmrp command, and set the metric for each interface.
MULTICAST ROUTING COMMANDS seconds - Interval between sending neighbor probe messages. (Range: 1-65535) Default Setting 10 seconds Command Mode Router Configuration Command Usage Probe messages are sent to neighboring DVMRP routers from which this device has received probes, and is used to verify whether or not these neighbors are still active members of the multicast tree.
Example Console(config-router)#nbr-timeout 40 Console(config-router)# report-interval Use this command to specify how often to propagate the complete set of routing tables to other neighbor DVMRP routers. Use the no form to restore the default value. Syntax report-interval seconds seconds - Interval between sending the complete set of routing tables.
MULTICAST ROUTING COMMANDS Default Setting 5 seconds Command Mode Router Configuration Example Console(config-router)#flash-update-interval 10 Console(config-router)# prune-lifetime Use this command to specify how long a prune state will remain in effect for a multicast tree. Use the no form to restore the default value. Syntax prune-lifetime seconds seconds - Prune state lifetime.
default-gateway Use this command to specify the default DVMRP gateway for IP multicast traffic. Use the no form to remove the default gateway. Syntax default-gateway ip-address no default-gateway ip-address - IP address of the default DVMRP gateway. Default Setting None Command Mode Router Configuration Command Usage • The specified interface advertises itself as a default route to neighboring DVMRP routers. It advertises the default route out through its other interfaces.
MULTICAST ROUTING COMMANDS ip dvmrp Use this command to enable DVMRP on the specified interface. Use the no form to disable DVMRP on this interface.
ip dvmrp metric Use this command to configure the metric used in selecting the reverse path to networks connected directly to an interface on this router. Use the no form to restore the default value. Syntax ip dvmrp metric interface-metric no ip dvmrp metric interface-metric - Metric used to select the best reverse path.
MULTICAST ROUTING COMMANDS As shown below, this command clears everything from the route table except for the default route. Console#clear ip dvmrp route clear all ip dvmrp route Console#show ip dvmrp route Source Mask Upstream_nbr Interface Metric UpTime Expire --------------- --------------- --------------- --------- ------ ----------10.1.0.0 255.255.255.0 10.1.0.253 vlan1 1 1840 0 Console# show router dvmrp Use this command to display the global DVMRP configuration settings.
The default settings are shown in the following example: Console#show route dvmrp Admin Status Probe Interval Nbr expire Minimum Flash Update Interval prune lifetime route report Default Gateway Metric of Default Gateway Console# : : : : : : : : enable 10 35 5 7200 60 0.0.0.0 1 show ip dvmrp route Use this command to display all entries in the DVMRP routing table.
MULTICAST ROUTING COMMANDS Field Description UpTime The time elapsed since this entry was created. Expire The time remaining before this entry will be aged out. show ip dvmrp neighbor Use this command to display all of the DVMRP neighbor routers. Command Mode Normal Exec, Privileged Exec Example Console#show ip dvmrp neighbor Address Interface Uptime Expire Capabilities ---------------- --------------- -------- -------- ------------10.1.0.
show ip dvmrp interface Use this command to display the DVMRP configuration for interfaces which have enabled DVMRP.
MULTICAST ROUTING COMMANDS Command Function show ip pim interface Displays information about interfaces configured NE, for PIM PE Mode Page 3-210 show ip pim neighbor Displays information about PIM neighbors 3-210 NE, PE router pim Use this command to enable Protocol-Independent Multicast - Dense Mode (PIM-DM) globally for the router and to enter router configuration mode. Use the no form to disable PIM-DM multicast routing.
ip pim dense-mode Use this command to enable PIM-DM on the specified interface. Use the no form to disable PIM-DM on this interface.
MULTICAST ROUTING COMMANDS Example Console(config)#interface vlan 1 Console(config-if)#ip pim dense-mode Console#show ip pim interface Vlan 1 is up PIM is enabled, mode is Dense. Internet address is 10.1.0.253. Hello time interval is 30 sec, trigger hello time interval is 5 sec. Hello holdtime is 105 sec. Join/Prune holdtime is 210 sec. Graft retry interval is 3 sec, max graft retries is 2. DR Internet address is 10.1.0.253, neighbor count is 0.
ip pim hello-holdtime Use this command to configure the interval to wait for hello messages from a neighboring PIM router before declaring it dead. Use the no form to restore the default value. Syntax ip pim hello-holdtime seconds no ip pim hello-interval seconds - The hold time for PIM hello messages. (Range: 1-65535) Default Setting 105 seconds Command Mode Interface Configuration (VLAN) Command Usage The ip pim hello-holdtime should be 3.5 times the value of ip pim hello-interval (page 3-205).
MULTICAST ROUTING COMMANDS Default Setting 5 seconds Command Mode Interface Configuration (VLAN) Command Usage • When a router first starts or PIM is enabled on an interface, the hello-interval is set to random value between 0 and the trigger-hello-interval. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
Command Usage The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream. The prune state is maintained until the join-prune-holdtime timer expires or a graft message is received for the forwarding entry.
MULTICAST ROUTING COMMANDS Example Console(config-if)#ip pim graft-retry-interval 9 Console(config-if)# ip pim max-graft-retries Use this command to configure the maximum number of times to resend a Graft message if it has not been acknowledged. Use the no form to restore the default value. Syntax ip pim max-graft-retries retries no ip pim graft-retry-interval retries - The maximum number of times to resend a Graft.
show ip pim interface Use this command to display information about interfaces configured for PIM. Syntax show ip pim interface vlan-id vlan-id - VLAN ID (Range: 1-4094) Command Mode Normal Exec, Privileged Exec Command Usage This command displays the PIM settings for the specified interface as described in the preceding pages. It also shows the address of the designated PIM router and the number of neighboring PIM routers. Example Console#show ip pim interface 1 Vlan 1 is up PIM is enabled, mode is Dense.
ROUTER REDUNDANCY COMMANDS Command Mode Normal Exec, Privileged Exec Example Console#show ip pim neighbor Address VLAN Interface Uptime Expire Mode --------------- ---------------- -------- -------- ------10.1.0.254 1 17:38:16 00:01:25 Dense Console# Field Description Address IP address of the next-hop router. VLAN Interface Interface number that is attached to this neighbor. Uptime The duration this entry has been active. Expire The time before this entry will be removed.
Virtual Router Redundancy Protocol Commands To configure VRRP, select an interface on one router in the group to serve as the master virtual router. This physical interface is used as the virtual address for the router group. Now set the same virtual address and a priority on the backup routers, and configure an authentication string. You can also enable the preempt feature which allows a router to take over as the master router when it comes on line.
ROUTER REDUNDANCY COMMANDS Use the no form to disable VRRP on an interface and remove the IP address from the virtual router. Syntax vrrp group ip ip-address [secondary] no vrrp group ip ip-address [secondary] • group - Identifies the virtual router group. (Range: 1-255) • ip-address - The IP address of the virtual router. • secondary - Specifies additional secondary IP addresses assigned to the current VLAN interface that are supported by this VRRP group.
This example creates VRRP group 1 using the primary interface for VLAN 1 as the VRRP group Owner, and also adds a secondary interface as a member of the group. Console(config)#interface vlan 1 Console(config-if)#vrrp 1 ip 192.168.1.6 Console(config-if)#vrrp 1 ip 192.168.2.6 secondary Console(config-if)# vrrp authentication Use this command to specify the key used to authenticate VRRP packets received from other routers. Use the no form to prevent authentication.
ROUTER REDUNDANCY COMMANDS Example Console(config-if)#vrrp 1 authentication bluebird Console(config-if)# vrrp priority Use this command to set the priority of this router in a VRRP group. Use the no form to restore the default setting. Syntax vrrp group priority level no vrrp group priority • group - Identifies the VRRP group. (Range: 1-255) • level - Priority of this router in the VRRP group.
Example Console(config-if)#vrrp 1 priority 1 Console(config-if)# Related Commands vrrp preempt (3-217) vrrp timers advertise Use this command to set the interval at which the master virtual router sends advertisements communicating its state as the master. Use the no form to restore the default interval. Syntax vrrp group timers advertise interval no vrrp group timers advertise • group - Identifies the VRRP group. (Range: 1-255) • interval - Advertisement interval for the master virtual router.
ROUTER REDUNDANCY COMMANDS before attempting to take over as the master is three times the hello interval plus half a second Example Console(config-if)#vrrp 1 timers advertise 5 Console(config-if)# vrrp preempt Use this command to configure the router to take over as the master virtual router for a VRRP group if it has a higher priority than the current acting master router. Use the no form to disable preemption.
Example Console(config-if)#vrrp 1 preempt delay 10 Console(config-if)# Related Commands vrrp priority (3-215) show vrrp Use this command to display status information for VRRP. Syntax show vrrp [brief | group] • brief - Displays summary information for all VRRP groups on this router. • group - Identifies a VRRP group.
ROUTER REDUNDANCY COMMANDS This example displays the full listing of status information for all groups. Console#show vrrp Vlan 1 - Group 1, state Virtual IP address Virtual MAC address Advertisement interval Preemption Min delay Priority Authentication Authentication key Master Router Master priority Master Advertisement interval Master down interval Console# Master 192.168.1.6 00-00-5E-00-01-01 5 sec enabled 10 sec 1 SimpleText bluebird 192.168.1.
Field Description Master The advertisement interval configured on the VRRP master. Advertisemen t interval Master down The down interval configured on the VRRP master interval (This interval is used by all the routers in the group regardless of their local settings) This example displays the brief listing of status information for all groups. Console#show vrrp brief Interface Grp State Virtual addr Int Pre Prio ---------------------------------------------------------------vlan 1 1 Master 192.168.1.
ROUTER REDUNDANCY COMMANDS Defaults None Command Mode Privileged Exec Example This example displays the full listing of status information for VLAN 1. Console#show vrrp interface vlan 1 Vlan 1 - Group 1, state Master Virtual IP address 192.168.1.6 Virtual MAC address 00-00-5E-00-01-01 Advertisement interval 5 sec Preemption enabled Min delay 10 sec Priority 1 Authentication SimpleText Authentication key bluebird Master Router 192.168.1.
show vrrp router counters Use this command to display counters for errors found in VRRP protocol packets. Command Mode Privileged Exec Example Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number.
ROUTER REDUNDANCY COMMANDS Example Console#show vrrp 1 interface vlan 1 counters Total Number of Times Transitioned to MASTER Total Number of Received Advertisements Packets Total Number of Received Error Advertisement Interval Packets Total Number of Received Authentication Failures Packets Total Number of Received Error IP TTL VRRP Packets Total Number of Received Priority 0 VRRP Packets Total Number of Sent Priority 0 VRRP Packets Total Number of Received Invalid Type VRRP Packets Total Number of Receive
Command Mode Privileged Exec Example Console#clear vrrp 1 interface 1 counters Console# -224
ROUTER REDUNDANCY COMMANDS Hot Standby Router Protocol Commands To configure HSRP, add the interface for each router that will participate in the virtual router group, set the priorities, and configure an authentication string. The HSRP protocol will automatically select the master and standby router based on the priority settings. You can also enable the preempt feature which allows a router to take over as the master router when it comes on line.
form to disable HSRP on an interface and remove the IP address for the virtual router. Syntax standby [group] ip [ip-address [secondary]] no standby [group] ip [ip-address] • group - Identifies the virtual router group. (Range: 0-255) • ip-address - The designated IP address of the virtual router. • secondary - Specifies additional IP addresses supported by this group.
ROUTER REDUNDANCY COMMANDS • HSRP is enabled once the designated address and priority are configured, and the master and standby routers are elected based on highest priority. If you need to customize any of the other parameters for HSRP such as authentication, tracking, or advertisement interval, then first configure these parameters before enabling HSRP. Example This example creates HSRP group 1 for VLAN 1, and also adds a secondary interface as a member of the group.
become the active master router again if the configured priorities have not been changed. • If two or more routers are configured with the same HSRP priority, the router with the higher IP address is elected as the new master router if the current master fails. • The priority setting takes precedence over authentication.
ROUTER REDUNDANCY COMMANDS Default Setting Group number: 0 Preempt: Disabled Delay: 0 seconds Command Mode Interface (VLAN) Command Usage • If preempt is enabled, and this router has a priority higher than the current acting master, it will take over as the new master.
standby authentication Use this command to specify the key used to authenticate HSRP packets received from other routers. Use the no form to delete an authentication string. Syntax standby [group] authentication string no standby [group] authentication • group - Identifies the HSRP group. (Range: 0-255) • string - Authentication string.
ROUTER REDUNDANCY COMMANDS Example Console(config-if)#standby 1 authentication bluebird Console(config-if)# Related Commands standby priority (3-227) standby timers Use this command to set the time between the master and standby router sending hello packets, and the time before other routers declare the active master router or standby router down. Use the no form to restore the default timer values.
• Routers on which the timer settings have not been configured can learn the current timer values from the master or standby router. Timers configured on the master router always override any other timer settings. All routers in an HSRP group should be configured with the same timer values. • If the master router stops sending advertisements, backup routers will bid to become the master based on priority.
ROUTER REDUNDANCY COMMANDS Default Setting Group number: 0 Interface priority: 10 Command Mode Interface (VLAN) Command Usage • This command adjusts the HSRP router priority based on the availability of its IP interfaces. When a tracked interface goes down, the HSRP router priority decreases by the specified value, and increases by the same value when it comes back up. You can specify up to 32 interfaces to be tracked.
show standby Use this command to display status information for HSRP. Syntax show standby [active | init | listen | standby] [brief] • • • • • active - Displays HSRP groups in the active state. init - Displays HSRP groups in the initial state. listen - Displays HSRP groups in the listen or learn state. standby - Displays HSRP groups in the standby or speak state. brief - Displays summary information for all HSRP groups on this router. Defaults Displays detailed information for each group.
ROUTER REDUNDANCY COMMANDS Field Description Local state State of the local router: priority • Active - Current master router. • Standby - Designated backup router next in line to take over as the master router. • Speak - Router is sending packets to claim the master or standby role. • Init - Router is not ready to participate in HSRP.
Field Description Authenticatio Key used to authenticate HSRP packets received from other routers. n text Tracking interface states List of interfaces that are being tracked and their corresponding states. This example displays the brief listing of status information for all groups. Console#show vrrp brief Interface Grp Prio P State Active addr Standby addr Group addr ------------------------------------------------------------------------Vlan1 1 5 T Active Local 0.0.0.0 192.168.1.
ROUTER REDUNDANCY COMMANDS show standby interface Use this command to display HSRP status information for the specified interface. Syntax show standby interface vlan vlan-id [group group] [active | init | listen | standby] [brief] • • • • • • • vlan-id - Identifier of configured VLAN interface. (Range: 1-4094) group - Identifies the HSRP group. (Range: 0-255) active - Displays HSRP groups in the active state. init - Displays HSRP groups in the initial state.
Example This example displays the full listing of status information for VLAN 1. Console#show standby interface vlan 1 group 1 Vlan 1 - Group 1 Local State is Active, priority 5 (confgd 10), may preempt Preemption delayed for 10 secs Hellotime 6 sec, holdtime 18 sec Next hello sent in 0: 0: 0 Host standby IP address is 192.168.1.
APPENDIX A SOFTWARE SPECIFICATIONS Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) DHCP Client, Relay, Server DNS Server Port Configuration 1000BASE-T: 10/100/1000 Mbps, half/full duplex 1000BASE-SX/LX: 1000 Mbps, full duplex Flow Control Full Duplex: IEEE 802.
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) VLAN Support Up to 255 groups; port-based, protocol-based, or tagged (802.
STANDARDS SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards IEEE 802.3 Ethernet, IEEE 802.3u Fast Ethernet IEEE 802.3x Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3z Gigabit Ethernet, IEEE 802.3ab 1000BASE-T IEEE 802.3ac VLAN tagging IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.3ad Link Aggregation Control Protocol IEEE 802.1D Spanning Tree Protocol and traffic priorities IEEE 802.
SNTP (RFC 2030) SSH (Version 2.
MANAGEMENT INFORMATION BASES TCP MIB (RFC 2013) Trap (RFC 1215) UDP MIB (RFC 2012) VRRP MIB (RFC 2787) -5
-6
APPENDIX B TROUBLESHOOTING Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software • Be sure you have configured the VLAN interface through which the management station is connected with a valid IP address, subnet mask and default gateway. • If you are trying to connect to the switch via the IP address for a tagged VLAN group, your management station must include the appropriate tag in its transmitted frames.
TROUBLESHOOTING B-2
GLOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol (ARP) ARP converts between IP addresses and MAC (i.e., hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
GLOSSARY Distance Vector Multicast Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet. DVMRP combines many of the features of RIP with Reverse Path Forwarding (RPF). Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network.
GLOSSARY Group Attribute Registration Protocol (GARP) See Generic Attribute Registration Protocol. Hot Standby Router Protocol (HSRP) This protocol allows hosts to connect to a single virtual router and to maintain connectivity even if the actual first hop gateway they are using fails. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
GLOSSARY IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
GLOSSARY Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. Layer 3 Network layer in the ISO 7-Layer Data Communications Protocol. This layer handles the routing functions for data moving from one open system to another. Link Aggregation See Port Trunk.
GLOSSARY Out-of-Band Management Management of the network from a station not attached to the network. Port Authentication See IEEE 802.1x. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively.
GLOSSARY Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet.
GLOSSARY data along the shortest available path, maximizing the performance and efficiency of the network. Terminal Access Controller Access Control System Plus (TACACS+) TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACS-compliant devices on the network. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP.
GLOSSARY host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
GLOSSARY Glossary-10
INDEX Symbols 3-31 Numerics 802.
INDEX Dynamic Host Configuration Protocol See DHCP HSRP 3-170, 4-310 authentication 3-173, 4-313 configuration settings 3-170, 4-310 interface tracking 3-173, 4-315 preemption 3-171, 3-172, 4-312 priority 3-171, 3-172, 4-311 timers 3-172, 4-314 virtual address 3-171, 3-173, 4-310 HTTPS 3-34, 4-30 HTTPS, secure server 3-34, 4-30 E I edge port, STA 3-98, 3-100, 4-174 event logging 4-41 IEEE 802.1D 3-88, 4-164 IEEE 802.1s 4-164 IEEE 802.1w 3-88, 4-164 IEEE 802.
INDEX IP routing 3-176, 4-235 configuring interfaces 3-180, 4-227 enabling or disabling 3-179, 4-235 status 3-179, 4-235 unicast protocols 3-178 IP, statistics 3-189, 4-238 J jumbo frame 4-60 L LACP configuration 4-150 local parameters 3-74, 4-156 partner parameters 3-77, 4-156 protocol message statistics 4-156 protocol parameters 3-71, 4-150 Link Aggregation Control Protocol See LACP link type, STA 3-98, 3-100, 4-176 logging syslog traps 4-44 to syslog servers 4-43 log-in, Web interface 3-2 logon authent
INDEX P R password, line 4-13 passwords 2-4 administrator setting 3-30, 4-25 path cost 3-90, 3-98 method 3-94, 4-167 STA 3-90, 3-98, 4-167 PIM-DM 3-241, 4-293 configuring 3-241, 4-293 global configuration 3-241, 4-294 interface settings 3-242, 4-294–4-298 neighbor routers 3-245, 4-300 port authentication 3-42, 4-74 port priority configuring 3-124, 4-198 default ingress 3-124, 4-198 STA 3-98, 4-173 port security, configuring 3-40, 4-72 port, statistics 3-82, 4-145 ports autonegotiation 3-65, 4-138 broadca
INDEX specifications, software A-1 SSH, configuring 3-35, 4-35, 4-36 STA 3-88, 4-162 edge port 3-98, 3-100, 4-174 global settings, configuring 3-92, 4-163–4-168 global settings, displaying 3-89, 4-179 interface settings 3-96, 3-104, 3-107, 4-173–4-178, 4-179 link type 3-98, 3-100, 4-176 path cost 3-90, 3-98, 4-173 path cost method 3-94, 4-167 port priority 3-98, 4-173 protocol migration 3-101, 4-178 transmission limit 3-94, 4-168 standards, IEEE A-2 startup files creating 3-19, 4-61 displaying 3-17, 4-55 se
INDEX W Web interface access requirements 3-1 configuration buttons 3-2 home page 3-2 menu list 3-3 panel display 3-3 Index-6
FOR TECHNICAL SUPPORT, CALL: From U.S.A. and Canada (24 hours a day, 7 days a week) (800) SMC-4-YOU; (949) 679-8000; Fax: (949) 679-1481 From Europe : Contact details can be found on www.smc-europe.com or www.smc.com INTERNET E-mail addresses: techsupport@smc.com european.techsupport@smc-europe.com Driver updates: http://www.smc.com/index.cfm?action=tech_support_drivers_downloads World Wide Web: http://www.smc.com http://www.smc-europe.com FOR LITERATURE OR ADVERTISING RESPONSE, CALL: U.S.A.
