Accton Technology ES5508 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Accton Technology ES5508. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Accton Technology ES5508 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Accton Technology ES5508 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Accton Technology ES5508 devrait contenir:
- informations sur les caractéristiques techniques du dispositif Accton Technology ES5508
- nom du fabricant et année de fabrication Accton Technology ES5508
- instructions d'utilisation, de réglage et d’entretien de l'équipement Accton Technology ES5508
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Accton Technology ES5508 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Accton Technology ES5508 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Accton Technology en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Accton Technology ES5508, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Accton Technology ES5508, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Accton Technology ES5508. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    www .edge-core.com Manage ment G uide P owered by Accton ES5508 8 XFP Slot La yer 2 10 Gi gabit Et hernet Sw itch[...]

  • Page 2

    [...]

  • Page 3

    Manage ment Guide 10 Gigabit Ethernet Switc h Layer 2 Standal one Switc h with 8 10GB ASE XFP Slots, an d 1 10/100B ASE-TX RJ -45 Mana gement Por t[...]

  • Page 4

    ES550 8 F3.0.0.3 E04200 5-R01 1491000 22900 A[...]

  • Page 5

    v Contents Chapter 1: Introduc tion 1-1 Key Featu res 1-1 Descripti on of Software Features 1-2 Sys tem D efaul ts 1-4 Chapter 2: Initial Configuration 2-1 Connectin g to the Swit ch 2-1 Config uration O ptions 2-1 Requi red Connect ions 2-2 Remo te Co nnec tio ns 2-3 Basi c Conf igur atio n 2-3 Conso le Conn ection 2-3 Setting Pa sswords 2-4 Sett [...]

  • Page 6

    Contents vi Savi ng or Resto ring Con figurati on Setting s 3-20 Downloa ding Confi guration Se ttings from a Server 3-21 Console Port Setti ngs 3-22 Telnet Setti ngs 3-24 Confi guring Eve nt Loggin g 3-26 System Log Configurati on 3-26 Remot e Log Confi guratio n 3-27 Displ aying Lo g Messa ges 3-29 Sending Simple Ma il Transf er Protoc ol Alerts [...]

  • Page 7

    Contents vii Config uring ACL M asks 3-80 Specifyi ng the Mask Ty pe 3-80 Config uring an IP A CL Mask 3-81 Config uring a MAC ACL M ask 3-83 Binding a Port to an Access Co ntrol List 3-84 Port Conf iguration 3-85 Displ aying Con nection St atus 3-85 Config uring Inte rface Conne ctions 3-88 Creatin g Trunk G roups 3-90 Staticall y Configuri ng a T[...]

  • Page 8

    Contents viii Mappin g Protocols to VLANs 3-146 Class o f Service C onfigura tion 3-147 Layer 2 Queue Sett ings 3-14 7 Setting th e Default Pri ority for Interfa ces 3-147 Mappin g CoS Values to Egress Queue s 3-149 Selectin g the Que ue Mo de 3-151 Setting th e Service Weight for Traffic Clas ses 3-151 Layer 3 /4 Priority Settings 3-153 Mappin g L[...]

  • Page 9

    Contents ix Comm and Line Processin g 4-7 Comm and G roups 4-8 Line Comm ands 4 -9 line 4- 10 login 4- 11 passw ord 4-12 timeout login response 4-12 exec-ti meout 4- 13 pas swor d-th resh 4 -14 silent-t ime 4-14 data bit s 4-15 parity 4- 16 speed 4- 16 stopbit s 4-17 discon nect 4-17 show lin e 4-18 General Commands 4-19 enable 4- 19 disabl e 4-20 [...]

  • Page 10

    Contents x ip ssh authentic ation-retri es 4-36 ip ssh s erv er-k ey size 4-36 delet e pu blic -key 4-37 ip ssh crypto ho st-key gene rate 4-37 ip ssh c ryp to zero ize 4-38 ip ssh s ave h ost- key 4-3 9 show ip ssh 4-39 show ss h 4-39 show pub lic-key 4-40 Event Lo gging Commands 4-41 logging on 4-42 logging histo ry 4-42 logging host 4-43 logging[...]

  • Page 11

    Contents xi whic hboo t 4-6 7 boot syste m 4-67 Authen tication Comm ands 4-68 Authentic ation Seq uence 4-69 authentic ation login 4-69 authentic ation enable 4-70 RADIUS Client 4-71 radius-s erver host 4-71 radius-serv er port 4-72 radius-serv er key 4-72 radius-s erver retransm it 4-73 radius-s erver time out 4-73 show radiu s-server 4- 73 TACAC[...]

  • Page 12

    Contents xii show map acc ess-list ip 4-98 match access -list ip 4-99 show ma rking 4-100 MAC AC Ls 4-10 0 acce ss-li st m ac 4- 101 permi t, deny ( MAC A CL) 4-10 2 show mac acce ss- list 4-10 3 acces s-list ma c ma sk-preced ence 4-104 mask (MAC ACL) 4-1 04 show access- list mac mask-pre cedence 4-106 mac ac cess-gro up 4-1 07 show ma c access-gr[...]

  • Page 13

    Contents xiii show int erfaces switchpo rt 4-132 Mirror Port Commands 4-134 port monit or 4-13 4 show port monitor 4-135 Rate Li mit Comm ands 4-1 36 rate-lim it 4-136 Link Agg regatio n Command s 4-137 channe l-group 4-138 lacp 4 -139 lacp sy stem- prio rity 4-14 0 lacp ad min-key (Ethe rnet Int erface) 4-141 lacp ad min-key (Port Channel ) 4-141 [...]

  • Page 14

    Contents xiv show spannin g-tree mst configura tion 4-168 VLAN Comma nds 4-168 Editing VLAN Grou ps 4-168 vlan da tabase 4-169 vlan 4-1 69 Configuri ng VLAN In terfaces 4-170 inter face vlan 4-170 switchpo rt mode 4-171 switchpo rt accept able-frame -types 4-172 switchpo rt ingress -filtering 4-172 switchpo rt nati ve vlan 4-173 switchpo rt allo we[...]

  • Page 15

    Contents xv map ip d scp (Inter face Config uration ) 4-194 show map ip por t 4-195 show map ip pre cedence 4-196 show map ip ds cp 4-196 Multica st Filtering Comm ands 4-197 IGMP Sno oping Com mands 4-198 ip igmp snoop ing 4-198 ip igmp snoop ing vlan static 4-198 ip igmp snoop ing vers ion 4-1 99 show ip i gmp snoo ping 4-199 show mac -addres s-t[...]

  • Page 16

    Contents xvi Appendix A: Soft ware Specificatio ns A-1 Soft war e Feat ures A- 1 Manage ment Featu res A-2 Stan dard s A-2 Manage ment Inform ation Bas es A-3 Appendix B: Trou bleshooting B-1 Problems Access ing the M anagemen t Interface B-1 Usin g Sys tem Lo gs B-2 Glossary Index[...]

  • Page 17

    xvii Tables Table 1- 1 Key Featu res 1-1 Tab le 1-2 Sys tem D efa ults 1-4 Table 3- 1 Web Page C onfigura tion Button s 3-3 Table 3- 2 Switch Main Men u 3-4 Table 3- 3 Logging Lev els 3-26 Table 3- 4 SNMPv3 Security Mod els and L evels 3-35 Table 3-5 Sup ported Notif ication Messa ges 3-46 Table 3-6 HTTPS Sys tem Support 3-55 Table 3- 7 802.1X Stat[...]

  • Page 18

    xviii T ables Table 4-24 Frame Size Command s 4-62 Table 4-2 5 Flash/File C omman ds 4-63 Table 4-2 6 File Directory Inf ormation 4-66 Table 4-2 7 Authenticatio n Comm ands 4-68 Table 4-2 8 Authenticatio n Sequenc e Comm ands 4-69 Table 4-2 9 RADIUS Client Comma nds 4-71 Table 4-3 0 TACACS+ Client Comm ands 4-74 Table 4-31 Port Security Comm ands 4[...]

  • Page 19

    xix T ables Table 4- 69 IGMP Snooping C omman ds 4- 198 Table 4- 70 IGMP Query Com mands (Lay er 2) 4-201 Table 4- 71 Static Multi cast Routi ng Commands 4- 204 Table 4- 72 Basic IP Confi guratio n Command s 4-20 5 Table 4- 73 DNS Comm ands 4- 210 Table 4- 74 show dns ca che - d isplay d escripti on 4-21 6 Table B-1 Troubles hooting Cha rt B -1[...]

  • Page 20

    xx T ables[...]

  • Page 21

    xxi Figures Figur e 3-1 Home P age 3-2 Figure 3-2 Front Panel Indi cators 3-3 Figur e 3-3 Syste m Inf ormat ion 3-9 Figure 3 -4 Switch Inform ation 3-11 Figure 3 -5 Displaying Bridge Ext ension Con figurat ion 3-12 Figure 3 -6 IP Interface Co nfiguratio n - Manual 3-14 Figure 3 -7 Default Gateway 3-14 Figure 3-8 IP Interface Configura tion - DHCP 3[...]

  • Page 22

    xxii Figures Figure 3 -42 802.1X Port Stat istics 3-70 Figure 3-43 IP Filter 3-72 Figure 3 -44 Selecting ACL Type 3-74 Figure 3 -45 ACL Configur ation - Stan dard IP 3-75 Figure 3 -46 ACL Configu ration - Ext ended IP 3-77 Figure 3 -47 ACL Configur ation - MAC 3-7 9 Figure 3 -48 Selecting ACL Mask Type s 3-80 Figure 3 -49 ACL Mask Con figurat ion -[...]

  • Page 23

    xxiii Figures Figure 3- 87 Que ue Mode 3-15 1 Figure 3-88 Queue Sch edulin g 3 -152 Figure 3 -89 IP Precedence/DS CP Priority S tatus 3-153 Figure 3-90 IP Precedenc e Priority 3 -154 Figure 3-91 IP DSCP Priority 3-156 Figure 3-92 IP Port Priority Statu s 3-15 7 Figure 3-93 IP Port Priority 3-157 Figure 3 -94 ACL CoS Priority 3-159 Figure 3 -95 IGMP[...]

  • Page 24

    xxiv Figures[...]

  • Page 25

    1-1 Chapter 1: Introduction This switc h provides a b road rang e of featur es for Layer 2 switching . It includes a manage ment ag ent that allow s you to con figure the feat ures listed in this manua l. The defau lt configur ation can be used for mos t of the featu res provide d by this switch . Howeve r , t here are man y option s that you sho u[...]

  • Page 26

    Introduction 1-2 1 Description of Software F eatures The sw itch pr ovides a wid e range of a dvanced perform ance e nhanc ing feat ures. Broadca st storm s uppressio n prevents broa dcast traffic storms from engulfing t he network . Untagged (por t-based) , tagged, and prot ocol-bas ed VLANs, pl us suppor t for autom atic GVRP VLAN regist ration p[...]

  • Page 27

    Description of Softw are Feat ures 1-3 1 Broadcast Storm Control – Broa dcast su ppression prevents broa dcast traffic from overwhel ming the network. W hen ena bled on a po rt, the level of bro adcast tra ffic passing thro ugh the por t is restrict ed. If broadca st traffic rises above a pre-de fined thresh old, it will be thr ottled until the l[...]

  • Page 28

    Introduction 1-4 1 learned vi a GVRP , or ports can be man ually assi gned to a sp ecific se t of VLANs. This allow s the sw itch to res trict traffic to the VLAN g roups to wh ich a user has been assigne d. By segme nting yo ur networ k into VLAN s, you can : • Elimin ate broadca st storms which seve rely deg rade perfor mance in a flat networ k[...]

  • Page 29

    System Defaults 1-5 1 Authentic ation Privileged Exec Level Username “admi n” Pass wor d “adm in” Normal E xec Lev el Username “gues t” Pass wor d “gue st” Enable P rivilege d Exec from Nor mal Exec Lev el Pass wor d “sup er” RADIUS A uthen tication Disabled T ACACS Authen tication Disabled 802.1X P ort Aut henticatio n Dis able[...]

  • Page 30

    Introduction 1-6 1 Address T able Aging Time 300 seco nds Virtual LANs Default V LAN 1 PVID 1 Acceptab le Fram e Type All Ingress F iltering Disabled Switchpo rt Mode (Egress M ode) Hybrid: ta gged/u ntagged f rames GVRP (gl obal) Disabled GVRP (po rt inter face) Disabled Traffic Prioritization Ingress P ort Prio rity 0 Weighted Ro und R obin Queue[...]

  • Page 31

    2-1 Chapter 2: Initia l Configuration Connecting to the Switch Configurati on Options The switc h includes a built-in netwo rk mana gement agent. The ag ent offers a vari ety of m anageme nt option s, inc luding S NMP , R MON and a web- based i nterfac e. A P C may also be connec ted directl y to the switch f or configu ration and monitor ing via a[...]

  • Page 32

    Initial Confi guration 2-2 2 • Enable po rt mirrorin g • Set br oadcast storm contr ol on any po rt • Displa y system info rmatio n and statistic s Required Connections The switch pr ovides an RS-232 ser ial port tha t enables a co nnecti on to a PC or termin al for monitor ing and co nfiguring the sw itch. A null-modem console cable is provi[...]

  • Page 33

    Basic Configur ation 2-3 2 Remote Connections Prior to acces sing the switch’s onboard agent via a netwo rk conn ection, y ou mus t fi rst c onf igure it wit h a va lid IP ad dre ss, s ubnet ma sk, a nd de faul t ga tewa y usi ng a console connect ion, DHCP or BOOTP prot ocol. The IP address f or this switch is obtained via DHCP by default. T o m[...]

  • Page 34

    Initial Confi guration 2-4 2 4. The sessi on is opened an d the CL I displays th e “Consol e#” prompt i ndicatin g you have ac cess at the Pr ivileged Exec level. Setting Passwords Note: If this is yo ur first time to log into the CLI pr ogram, you should def ine new passwords for both default user names us ing the “u sername” comm and, rec[...]

  • Page 35

    Basic Configur ation 2-5 2 Before y ou can assign an IP addres s to the swi tch, you m ust obtain the f ollowing inform ation from y our netwo rk administ rator: • I P addr ess fo r the sw it ch • Default ga teway for the network • Network mask for thi s network T o assign an IP add ress to the switch , comple te the follow ing steps: 1. From[...]

  • Page 36

    Initial Confi guration 2-6 2 5. W ait a few minutes, an d then chec k the IP con figurat ion settings by typing th e “show ip int erface” co mman d. Press <E nter>. 6. Then save y our con figuratio n changes by typing “co py running- config startup-co nfig.” Ente r the startup file nam e and pres s <Enter>. Enabling SNMP Managem[...]

  • Page 37

    Basic Configur ation 2-7 2 The defa ult stri ngs are : • public - with read-on ly acc ess. A uthorize d mana gement s tations are o nly able to ret rieve MIB obje cts. • private - w ith re ad-write access. Authori zed ma nagemen t station s are able to both ret rieve and modif y MIB obje cts. T o prevent un authoriz ed acce ss to the s witch fr[...]

  • Page 38

    Initial Confi guration 2-8 2 Configuring Acc ess for SNMP Vers ion 3 Clients T o configure manageme nt access for SNMPv 3 clients, you ne ed to first creat e a view tha t defines the portions of MIB tha t the client can read or write, assign the v iew to a group , and then assign the user to a gr oup. The fo llowing exam ple cre ates one view calle[...]

  • Page 39

    Managing System Files 2-9 2 Managing System Files The s wit ch’ s fl ash memor y su ppor ts thre e ty pes of sys tem f il es tha t ca n be manag ed by the CLI program, web interface, or SNMP . The s witch’ s file system allows files to be upload ed and dow nloade d, copied, del eted, and se t as a start-up file. The thre e types of files ar e: [...]

  • Page 40

    Initial Confi guration 2-10 2[...]

  • Page 41

    3-1 Chapter 3: Config urin g the Switc h Using the Web In terface This swit ch prov ides an embed ded HT TP web agent. U sing a web br owser you can configur e the switch and view statistics to moni tor networ k activity . The web ag ent can be acce ssed by any compu ter on the ne twork usi ng a standard w eb browse r (Interne t Explorer 5. 0 or ab[...]

  • Page 42

    Configuring the Switch 3-2 3 Navigating the Web Brow ser Interface T o access the web-brows er interfac e you mus t first ente r a user name a nd password . The ad ministra tor has R ead/Write ac cess to all co nfigurati on paramete rs and statisti cs. The de fault user na me and pass word for the admin istrator is “ admin.” Home Page When you [...]

  • Page 43

    Navigating the Web Brow ser Interface 3-3 3 Configurati on Options Configu rable param eters h ave a dialog b ox or a drop -down l ist. Once a co nfigurati on change ha s been m ade on a page, b e sure to click o n the Appl y button to co nfirm the new set ting. The following table su mmariz es the web page c onfigurati on buttons. Notes: 1. To ens[...]

  • Page 44

    Configuring the Switch 3-4 3 Main Menu Using th e onboard web agent, you can def ine system parameters, manage an d contro l the switch, and all its ports, or monit or network c ondition s. The follow ing table briefly des cribes the select ions availab le from this program. T able 3-2 Switch M ain Me nu Menu Descr iption Page System 3-9 System In [...]

  • Page 45

    Navigating the Web Brow ser Interface 3-5 3 SNMPv3 3-3 9 Engine ID Sets the S NMP v3 engine ID 3-40 Remote E ngine ID Sets the S NMP v3 engine ID on a remote d evice 3-40 User s Conf igu res SN MP v3 us er s 3-41 Remote U sers Configure s SNM P v3 users on a r emote dev ice 3-43 Grou ps Conf igu res SN MP v3 gr ou ps 3 -45 View s Conf igur es SN MP[...]

  • Page 46

    Configuring the Switch 3-6 3 LACP 3-90 Configura tion Allo ws ports to dyna mically join trunk s 3-92 Aggregat ion Port Config ures para meters for link aggre gation group mem bers 3-94 Port Coun ters In formation Displays s tatistic s for LACP proto col messag es 3-97 Port Inter nal Info rmation Displays settings and oper ational state for t he lo[...]

  • Page 47

    Navigating the Web Brow ser Interface 3-7 3 Trun k Co nfigu rati on Confi gures tru nk set tin gs fo r a spe cifi ed MST ins tanc e 3-130 VLAN 3-132 802.1Q V LAN GVRP Sta tus Enables G VRP VLA N regis tration pro tocol 3-135 Basic Info rmatio n Displays infor mation on the VL AN type s upporte d by this s witch 3-135 Current T able Shows the cu rre[...]

  • Page 48

    Configuring the Switch 3-8 3 ACL C oS Prio rity Sets the CoS val ue and corre spondi ng output qu eue for pa ckets matching an AC L rule 3-158 IGMP Sn oopin g 3-159 IGMP Con figurat ion Enables m ulticas t filteri ng; configu res pa rameters f or multicas t query 3-161 Multicast Rou ter Port Infor mation Displays t he por ts that are attach ed to a[...]

  • Page 49

    Basic Configur ation 3-9 3 Basic Configuration Displaying Syste m Information Y ou can ea sily identi fy the syst em by displa ying the de vice nam e, locatio n and contact infor mation. Field Attributes • Syst em Name – Name assi gned to the sw itch syst em. • Object ID – MIB II object ID for switch’s network man agem ent subs ystem. •[...]

  • Page 50

    Configuring the Switch 3-10 3 CLI – S pecif y th e hos tnam e, l ocat ion and co nt act inf ormat ion. Displaying Switch Hardware/ Software Versi ons Use the Sw itch Infor mation page to di splay ha rdware/fir mware ve rsion num bers for the main bo ard and m anagem ent software, as well as the pow er status of th e system . Field Attributes Main[...]

  • Page 51

    Basic Configur ation 3-11 3 These addi tional param eters are dis played f or the CLI. • Unit ID – Unit number in sta ck. • Redundant Power Status – Displa ys the statu s of the redu ndant powe r supply . Web – Click System, Switch I nformation. Figure 3 -4 Sw itch Inform ation CLI – Use the foll owing com mand to display ver sion infor[...]

  • Page 52

    Configuring the Switch 3-12 3 Displaying Bridge Extension Capa bilities The Bridg e MIB includ es extens ions for mana ged devic es that supp ort Multicas t Fil ter ing, T raf fic Cl asses , and Vi rtu al L ANs. Y ou can ac ces s the se ex tens ions to dis play def ault sett ings fo r the key va riab les. Field Attributes • Extended Multica st Fi[...]

  • Page 53

    Basic Configur ation 3-13 3 CLI – Enter the fo llowing co mmand. Setting the Switch’s IP Address An IP addre ss may be used for man ageme nt acce ss to the switch over yo ur network. By defa ult, the switch uses DHCP to assign IP setti ngs to VLAN 1 on the switch . If you wish to manually co nfigure I P settings , you need to set an IP addr ess[...]

  • Page 54

    Configuring the Switch 3-14 3 • MAC Address – The MAC address of this switch . • Restart DHCP – Reque sts a new IP addr ess from t he DHCP ser ver. Manual Co nfiguration We b – Click Sy stem, IP Co nfiguratio n. Select the VLAN throug h which the manage ment station is at tached, set the IP Address Mode to “St atic.” Ent er the IP add[...]

  • Page 55

    Basic Configur ation 3-15 3 Using DHCP/BOOTP If your network pr ovides DHCP/BOOTP services, you can configure the switch to be dyna mic ally co nfi gur ed by th ese serv ices . We b – Click Sy stem, IP Co nfigurat ion. S pecify the VLAN to which the manage ment statio n is attached, set the IP Address Mode to DHCP or BOO TP . Click Apply to save [...]

  • Page 56

    Configuring the Switch 3-16 3 We b – If the address a ssigned by DHCP is no lo nger functioning, you will not be able to rene w the IP sett ings via the w eb interface . Y ou can onl y restart DHCP service vi a the web in terface if the current address is st ill available. CLI – Enter t he following command t o rest art DHCP service. Configurin[...]

  • Page 57

    Basic Configur ation 3-17 3 Managing Firmware Y ou can up load/downl oad firmw are to or from a TFTP serv er , or copy files to and from switch units in a stack. By sa ving run time code to a file on a TFTP ser ver , that file can lat er be downl oaded to the switch to res tore ope ration. Y ou can also set the switch to use new firmw are with out [...]

  • Page 58

    Configuring the Switch 3-18 3 Downloadi ng System Softw are from a Server When dow nload ing runtim e code, you can specify the destin ation file nam e to replace th e curren t image, or first download the file usin g a different name f rom the current ru ntime co de file, and th en set the new file as the startup f ile. We b – Click Sy stem, Fil[...]

  • Page 59

    Basic Configur ation 3-19 3 T o delete a file select System, File Manag ement, Dele te. Select th e file name from the given l ist by check ing the tick bo x and click Ap ply . Note that the file currently designa ted as the startu p code cann ot be de leted. Figure 3 -12 D eleting Fi les CLI – T o do wnload ne w firmwar e form a TFTP se rver , e[...]

  • Page 60

    Configuring the Switch 3-20 3 Saving or Restoring Confi guration Settings Y ou can upload/d ownload configura tion set tings to/fr om a TFT P server, or copy files to and from sw itch units in a stack. The confi guration file ca n be later down loaded to restor e the switch ’s settings. Command Attributes • File Trans fer Method – Th e config[...]

  • Page 61

    Basic Configur ation 3-21 3 Downloadi ng Configuration Se ttings from a Se rver Y ou can dow nload th e configura tion file under a new file nam e and then set it as the startup file, or you can sp ecify the c urrent startup co nfigurat ion file a s the de stination file to direct ly replac e it. Note that th e file “Facto ry_Defa ult_Con fig.cfg[...]

  • Page 62

    Configuring the Switch 3-22 3 CLI – Enter the IP ad dress of the TFT P server, specify the s ource f ile on the s erver , set the startup file name on the switch , and then restart the switch . T o select anothe r config uration file as the start-up con figurat ion, use the boot system comma nd and then restart the switch . Console Port Settings [...]

  • Page 63

    Basic Configur ation 3-23 3 • Speed – Sets the termi nal line’s baud rate for transm it (to terminal ) and recei ve (from termi nal). Set th e speed to mat ch the ba ud rate of the dev ice conn ected to the serial po rt. (Range: 9600, 19 200, 3840 0, 57600, or 1 15200 ba ud, Auto ; Default: Auto ) • Stop Bits – Sets the nu mber of th e st[...]

  • Page 64

    Configuring the Switch 3-24 3 CLI – Enter Line Co nfigurat ion mode f or the consol e, then spe cify the con nection parameter s as require d. T o di splay the cu rrent cons ole port set tings, us e the show line command fr om the Normal Ex ec level . Telnet Set tings Y ou can ac cess the on board con figuratio n program over the ne twork using T[...]

  • Page 65

    Basic Configur ation 3-25 3 • Password 5 – Specifies a passw ord for the line c onnection . When a conn ection is started on a line w ith pa ssword protec tion, the sys tem pro mpts f or the passwor d. If you ente r the correc t passwor d, the sy stem show s a prom pt. (Defau lt: No password ) • Login 5 – Ena bles passw ord chec king at log[...]

  • Page 66

    Configuring the Switch 3-26 3 Configuring Event Logging The sw itch allow s you to contr ol the logg ing of error m essages , includ ing the typ e of events that are re corded in sw itch memor y , loggi ng to a remote Sy stem Log (syslog) server, and disp lays a list of recent ev ent messa ges. System Log Configuration The syste m allows yo u to en[...]

  • Page 67

    Basic Configur ation 3-27 3 We b – Click Sy stem, Lo gs, Syst em Log s. S pecify Sy stem Lo g S tatus, set the lev el o f event messages to be lo gged to RAM and fla sh memory , then c lick Apply . Figu re 3 -17 Sys tem Logs CLI – Enable system lo gging an d then sp ecify the le vel of mes sages to be logged t o RAM an d flash memo ry . Use the[...]

  • Page 68

    Configuring the Switch 3-28 3 We b – Click System, Logs, Remote Logs. T o add an I P address to the Ho st IP List, type the new IP address in the Host IP Address box , and the n click Add. T o delete an IP addr ess, click th e entry in th e Host IP List , and then cl ick Rem ove. Figu re 3 -18 Rem ote Logs CLI – Enter the sy slog ser ver host I[...]

  • Page 69

    Basic Configur ation 3-29 3 Displaying Log Me ssages Use the Log s page to scro ll through th e logged sy stem and ev ent mes sages. Th e switch can store up t o 2048 log ent ries in tem porary ra ndom acc ess mem ory (RAM; i.e., memor y flushed o n power r eset) and up t o 4096 ent ries in perm anent flash memory . We b – Click Sy stem, Log , Lo[...]

  • Page 70

    Configuring the Switch 3-30 3 • SMTP Se rver List – Spe cif ies a lis t of up t o thr ee r ecip ient SMT P ser vers. The switch attempts to connect to th e other liste d server s if the first fails . Use the New SMTP Serv er text field an d the Add/Rem ove butto ns to config ure the list. • Email Dest ination Addres s List – S peci fie s th[...]

  • Page 71

    Basic Configur ation 3-31 3 CLI – Enter the IP ad dress of a t least on e SMT P server, set the s yslog s everity lev el to trigger a n email m essage, and speci fy the swi tch (sourc e) and up t o five rec ipient (destina tion) email ad dresses . Enable SM TP with the logging se ndmail com mand to compl ete the config uration. U se th e show log[...]

  • Page 72

    Configuring the Switch 3-32 3 Setting the System Clock Simple Network T ime Protocol (SNTP) allows the s witch to set it s inter nal clock based on pe riodic upd ates from a tim e server (SN TP or NTP) . Maintaining an accurate t ime on the s witch ena bles the sys tem log to rec ord mea ningful date s and times fo r event entri es. Y ou can also m[...]

  • Page 73

    Basic Configur ation 3-33 3 CLI – This examp le configu res the sw itch to operat e as an SNT P client and th en displays the curre nt time and se ttings. Setting the T ime Zone SNT P uses Coor dina ted Uni vers al T ime (o r UTC , for mer ly Gr eenw ich Mean T ime, or GMT) based on the tim e at the Ea rth’s prime me ridian, ze ro degre es long[...]

  • Page 74

    Configuring the Switch 3-34 3 Simple Network Manage ment Protocol Simp le Ne twor k Mana gement Prot oco l (SNMP ) is a comm unic atio n prot oco l designe d specifi cally for ma naging de vices on a network. Equ ipmen t commonly manage d with SNM P includ es switches , routers and host comp uters. SN MP is typ ical ly used t o co nfig ure thes e d[...]

  • Page 75

    Simple Network Management Proto col 3-35 3 securi ty models v1 and v2c. The followin g table shows t he securi ty model s and levels ava ilable and the system defaul t settings. Note: The predefined default groups and view c an be deleted from the system. You ca n then d efine customi zed groups and views f or the SNM P clients tha t require a cces[...]

  • Page 76

    Configuring the Switch 3-36 3 CLI – The followi ng exam ple enable s SNMP on th e switch. Setting Community Access Strings Y ou may conf igure up to fiv e commu nity strings aut horized f or manag ement acce ss by clien ts using SN MP v 1 and v 2c. All commun ity str ings used for IP Trap Manager s should be listed in this table. For security rea[...]

  • Page 77

    Simple Network Management Proto col 3-37 3 Specifying Trap Managers and Trap Types T raps indic ating status c hanges ar e issue d by the s witch to sp ecified tr ap manag ers. Y ou must s pecify trap m anage rs so that ke y events are rep orted by thi s switch to your ma nageme nt station (using n etwork m anage ment platform s such a s HP OpenVie[...]

  • Page 78

    Configuring the Switch 3-38 3 Version 1 or 2c clients), or define a corr espondi ng “User Na me” in the SN MPv3 Users pag e (for Version 3 clients) . (Range: 1- 32 charac ters, case sensitive) • Trap UDP Port – Specifies th e UDP port num ber use d by the trap m anager . • Trap Version – Indicate s if the user is run ning SNMP v1, v2c, [...]

  • Page 79

    Simple Network Management Proto col 3-39 3 We b – Click SN MP , Con figuratio n. Enter the IP address and commu nity string for each management statio n that will re ceive trap me ssages, specify the UDP port, SNMP version, trap security level (f or v3 cli ents), tra p inform settings (for v2c/v3 clients), an d then c lick Add. Sel ect the t rap [...]

  • Page 80

    Configuring the Switch 3-40 3 Setting a Local Engine ID An SNMP v3 eng ine is an indepe ndent S NMP a gent that resides on the switch. This engine prot ects against message re play , de lay , and redirec tion. The en gine ID is also use d in combin ation with user passwor ds to gener ate the sec urity keys for aut hent icat ing an d enc rypti ng SN[...]

  • Page 81

    Simple Network Management Proto col 3-41 3 The engi ne ID can be sp ecified b y enterin g 10 to 6 4 hexade cimal ch aracte rs. If less than 26 ch aracters ar e specified , trailing zeroes are add ed to the va lue. For example, the value “ 1234” is equi valent to “1234” follo wed by 60 zer oes. We b – Click SNMP , SNMPv3, Remote Engin e ID[...]

  • Page 82

    Configuring the Switch 3-42 3 • Privacy Protocol – The en cryp tion algor ithm us e for dat a privac y; only 5 6-bit DES is currentl y available. • Privacy P asswo rd – A minimum of eight plai n text char acters is requ ired. • Actions – Enables t he user to be ass igned t o another S NMPv3 gr oup. We b – Click SN MP , SNMP v3, Users.[...]

  • Page 83

    Simple Network Management Proto col 3-43 3 CLI – Us e th e snmp-s erver u ser comm and to co nfigure a ne w user nam e and assign it to a group. Configuring Rem ote SNMPv3 Users Each SNMP v3 user is defined by a un ique name. Users mu st be configur ed with a specific security level and a ssigned to a group. The SNMP v3 grou p restricts us ers to[...]

  • Page 84

    Configuring the Switch 3-44 3 • Privacy Protocol – The en cryp tion algor ithm us e for dat a privac y; only 5 6-bit DES is currentl y available. • Privacy P asswo rd – A minimum of eight plai n text char acters is requ ired. We b – Click SN MP , SNMP v3, Remot e Users. Click New to co nfigure a us er name. In the Ne w User pag e, define [...]

  • Page 85

    Simple Network Management Proto col 3-45 3 CLI – Us e th e snmp-s erver u ser comm and to co nfigure a ne w user nam e and assign it to a group. Configuring SNM Pv3 Groups An SNMP v3 group se ts the acces s policy fo r its assigne d users, res tricting them to specific read, write, and notify vi ews. Y ou can us e the pre- defined de fault gro up[...]

  • Page 86

    Configuring the Switch 3-46 3 T able 3-5 S upported N otifica tion Mess ages Object La bel Objec t ID Descripti on RFC 1493 Traps newRoot 1.3.6.1.2. 1.17.0 .1 The n ewRoot tra p indicate s that t he sendin g agent has become the new roo t of the S pannin g Tree; the trap is sent by a bridge soon after its election as the new root, e.g., u pon ex pi[...]

  • Page 87

    Simple Network Management Proto col 3-47 3 Private Tr aps swPowerS tatus ChangeT rap 1.3.6.1.4. 1.259. 6.10.76.2. 1.0.1 This trap is sent wh en the power sta te changes. swFanFai lureTra p 1.3 .6.1.4. 1.259.6.1 0.76.2. 1.0.17 Th is trap is s ent wh en the fan fails. swFanRe coverTr ap 1.3.6.1.4. 1.259. 6.10.76.2. 1.0.18 Th is trap is sent wh en the[...]

  • Page 88

    Configuring the Switch 3-48 3 We b – Click SNMP , SNMPv3, Group s. Click New to configure a new group. I n the New G roup page , define a nam e, assign a se curity mo del and level , and the n selec t read, wr ite, and notify views. Click Ad d to save t he new group and retur n to the Groups list. T o delet e a group, chec k the box ne xt to the [...]

  • Page 89

    Simple Network Management Proto col 3-49 3 Setting SNMPv3 Views SNMPv 3 views ar e used to restrict use r access to specified portions of the MIB tree. The prede fined view “defaultv iew” include s acces s to the entir e MIB tree. Command Attributes • View Name – The nam e of the SNMP view. (Ran ge: 1-64 cha racters) • View OID Subt rees [...]

  • Page 90

    Configuring the Switch 3-50 3 CLI – Us e th e snmp-s erver vi ew comma nd to conf igure a new view . This examp le view incl udes the MIB-2 in terfaces ta ble, and the wild card mask select s all in dex entries. User Authentication Y ou can re strict man agemen t access t o this swit ch and prov ide secu re networ k access us ing the foll owing o[...]

  • Page 91

    User Authent ication 3-51 3 Command Attributes • Account List – Dis plays the cu rrent list of user accoun ts and ass ociated acc ess levels. (D efaults: ad min, and gu est) • New Account – Displ ays configu ration set tings for a ne w accoun t. - User Name – The name of the us er. (Maxim um lengt h: 8 charact ers; maxim um num ber of use[...]

  • Page 92

    Configuring the Switch 3-52 3 Configuring Local/Remote Logon Authentication Use the Authe ntication Setting s menu to res trict ma nageme nt acc ess bas ed o n specifie d user name s and password s. Y ou can m anual ly configu re a ccess rights on the swi tch, or y ou ca n us e a re mot e acce ss au then ti catio n se rver base d on R ADIU S or T A[...]

  • Page 93

    User Authent ication 3-53 3 • RADIUS Settings - Global – Provides g lobally ap plicable R ADIUS se ttings. - ServerIndex – Speci fies one of five RADI US server s that may be configure d. The switc h attempts authentic ation using t he listed sequ ence of ser vers. The process ends whe n a server e ither approv es or den ies access t o a user[...]

  • Page 94

    Configuring the Switch 3-54 3 We b – Click Security , Authentication Settings. T o config ure local or re mote authenti cation pre ferenc es, specif y the authen ticatio n sequence (i.e., one t o three methods), fill in t he parameters for RADIUS or T ACACS+ authentic ation if sel ected, and click Ap ply . Figure 3-3 4 Aut henticatio n Serv er Se[...]

  • Page 95

    User Authent ication 3-55 3 Configuring HTTPS Y ou can co nfigure the sw itch to enab le the Sec ure Hyper text T ransf er Protocol (HTTPS ) over the Secu re Soc ket Layer (SS L), prov iding secu re access (i.e., an encrypt ed con nection) to t he switc h’s web i nterface . Command Usage • Both the HT TP and HTTP S service can be enable d indep[...]

  • Page 96

    Configuring the Switch 3-56 3 We b – C lick Sec urity , H TTPS Se ttings. En able HTTP S and spe cify th e port num ber , then c lic k Ap ply . Figure 3- 35 HT TPS Setti ngs CLI – This example ena bles the H TTP secure server and m odifies the p ort number. Replac ing the Default Secure-sit e Certificate When you log onto the we b interfa ce us[...]

  • Page 97

    User Authent ication 3-57 3 Configuring the Secure She ll The Berkl ey-standard includes r emote a ccess tools originall y designed fo r Unix systems. Some of these tools hav e also bee n implem ented for M icrosoft Windo ws and other environm ents. These to ols, includ ing comm ands su ch as rlog in (remot e login), rsh (remote she ll), and rcp (r[...]

  • Page 98

    Configuring the Switch 3-58 3 be config ured loca lly on the sw itch via the U ser Accou nts page as described on page 3-50.) Th e clients are subs equen tly authent icated using t hese keys . The curren t firmware on ly accepts public key files based on stan dard UNIX fo rmat as shown in the followin g example f or an RSA V ersion 1 k ey: 1024 35 [...]

  • Page 99

    User Authent ication 3-59 3 Field Attributes • Public-Key of Host-Key – T he publi c ke y for th e host . - RSA (Versi on 1): The fir st field indicat es the size of th e host key (e. g., 1024), th e second f ield is the encod ed public exponent (e.g., 6 5537), and the las t string is the encod ed modulu s. - DSA (Versi on 2): The fir st field [...]

  • Page 100

    Configuring the Switch 3-60 3 CLI – Th is e xampl e ge nera tes a hos t-k ey p air usi ng bo th t he R SA an d DSA algorithms, stores the keys to flash memory , and then displays the host’s p ublic keys. Configuring the SSH Server The SSH se rver incl udes basi c settings for authenti cation. Field Attributes • SSH Server Status – Allo ws y[...]

  • Page 101

    User Authent ication 3-61 3 We b – Click Security , SSH, Settings. Enable SSH and adjust the authentication paramete rs as req uired, then clic k Apply . Note that y ou must fi rst generate t he host key pair on the SS H Ho st-Key Se ttings pag e befor e you c an enab le the SSH s erver . Figure 3-3 7 SS H Server Setting s CLI – This examp le e[...]

  • Page 102

    Configuring the Switch 3-62 3 Configuring Port Security Port securit y is a feature t hat allows you to config ure a switch port with one or more device MA C addres ses that are autho rized to acc ess the ne twork thro ugh that por t. When por t security i s enabled on a port, the sw itch stops lear ning new MA C address es on the sp ecified po rt [...]

  • Page 103

    User Authent ication 3-63 3 We b – Click Security , Port Security . Set the action to take when an invalid address is detected o n a port, mar k the chec kbox in the Status column to en able secu rity for a port, set the maxi mum number of MAC a ddresse s allowed o n a por t, and cl ick Apply . Figure 3-3 8 Po rt Securit y CLI – This examp le s[...]

  • Page 104

    Configuring the Switch 3-64 3 Configuring 802. 1X Port Authentication Netw ork switch es can pr ovi de ope n and eas y acce ss to ne twor k resou rces by simply attac hing a client PC. Although this autom atic conf iguration a nd access i s a desirabl e feature, it al so allows un authoriz ed person nel to eas ily intrude and possibly gain acces s [...]

  • Page 105

    User Authent ication 3-65 3 • The RADI US serve r and clie nt also hav e to supp ort the sa me EAP au thentica tion type – MD 5. (Som e clients have native su pport in Wi ndows, otherwise t he dot1x client mus t support it.) Displaying 802 .1X Global Settings The 80 2.1X proto col pr ovi des po rt aut hent ica tion . Command Attributes 802.1X S[...]

  • Page 106

    Configuring the Switch 3-66 3 Configuring 80 2.1X Globa l Settings The 80 2.1X proto col pr ovi des po rt aut hent ica tion . The 80 2.1X pr oto col mus t be enabled globa lly for the sw itch s ystem before port s ettings are a ctive. Command Attributes 802.1X Sy stem Authent ication Con trol – Sets the g lobal se tting for 802.1 X. (Def aul t: D[...]

  • Page 107

    User Authent ication 3-67 3 • Max Reque st – Sets th e maximum number of times th e switch po rt will re transmit an EA P reques t packet to the client b efore it times o ut the au thentic ation ses sion. (Ran ge: 1-10 ; De faul t 2) • Quiet Period – Sets the ti me that a switch po rt waits a fter the Ma x Reque st count has b een exce eded[...]

  • Page 108

    Configuring the Switch 3-68 3 CLI – This examp le sets the 802.1X paramete rs on port 2. For a description of the addition al fields disp layed in this e xample , see “show dot1x” on pag e 4-83. Console(config)#interface ethernet 1/2 4-125 Console(config-if)#dot1x port-control aut o 4-80 Console(config-if)#dot1x re-authenticatio n 4-81 Consol[...]

  • Page 109

    User Authent ication 3-69 3 Display ing 802.1X Statistics Thi s swit ch c an d isp lay s tat isti cs f or dot1x prot oco l exc hange s fo r an y por t. T able 3-7 80 2.1X Stat istics Paramete r Descr iption Rx EAPO L Start The numb er of EAPOL Start fra mes that ha ve bee n received b y this Au thenticato r . Rx EA POL L ogoff The number of EA POL [...]

  • Page 110

    Configuring the Switch 3-70 3 We b – Select S ecurity , 802.1X, S tatistics. Se lect the requ ired port and then click Query . Click Refres h to update the s tatisti cs. Figure 3- 42 80 2.1X Port Statis tics CLI – This examp le display s the dot1x sta tistics for por t 4. Console#show dot1x statistics interface e thernet 1/4 4-83 Eth 1/4 Rx: EA[...]

  • Page 111

    User Authent ication 3-71 3 Filteri ng IP Addresses for Management Access Y ou can c reate a list of up to 16 IP add resses o r IP address grou ps that are all owed manage ment ac cess to the swi tch throu gh the web int erface, SNM P , or T elnet. Command Usage • The ma nagemen t inter faces a re open to all IP addr esses b y defau lt. Once you [...]

  • Page 112

    Configuring the Switch 3-72 3 We b – Click Secur ity , IP Filter . Enter the IP ad dresses or range of add resses t hat are allowe d manage ment acces s to an inter face, and click Add IP Filtering En try . Figure 3-4 3 IP F ilter CLI – Th is e xampl e re str ict s ma nagem ent acces s fo r T eln et cl ie nts. Console(config)#management telnet-[...]

  • Page 113

    Access C ontrol Lis ts 3-73 3 Access Control Lists Access C ontrol Lists (ACL) provide packet filte ring for I P frames (based on ad dress, protocol , Layer 4 protoc ol port num ber or TCP c ontrol cod e) or any frame s (based on MAC addre ss or Ether net type ). To filt er incom ing pa ckets, fir st create a n acce ss list, add th e required r ule[...]

  • Page 114

    Configuring the Switch 3-74 3 Setting the ACL Name and Ty pe Use the AC L Configur ation page to de signate the na me and type of an AC L. Command Attributes • Name – Name of the AC L. (Maxim um lengt h: 16 charac ters) • Type – There are three fil tering mode s: - Standa rd : IP ACL mod e that filte rs packets b ased on the source IP addre[...]

  • Page 115

    Access C ontrol Lis ts 3-75 3 and comp ared with th e address for each IP pac ket entering the port(s) to which this ACL ha s been as sign ed. We b – S pecif y the action (i .e., Permit or Deny). Select the address type ( Any , Host, or IP). If yo u sele ct “Hos t,” enter a spe cific ad dress. If you select “IP ,” enter a subne t address [...]

  • Page 116

    Configuring the Switch 3-76 3 • Protocol – Speci fies the prot ocol type to m atch as TCP , UDP or Ot hers, whe re others in dicates a s pecific p rotocol n umber (0- 255). (Opt ions: TC P, UDP, O thers; Default: TCP) • Source/D estination Por t – Source /destina tion port num ber for th e specified protocol type. (Rang e: 0-6553 5) • Sou[...]

  • Page 117

    Access C ontrol Lis ts 3-77 3 We b – S pecify the act ion (i.e., Per mit or Deny ). S pecify the sou rce and/ or destinat ion addres ses. Select the address type (Any , Host, or IP). If you select “Host,” enter a spec ific ad dress. I f you select “IP ,” e nter a s ubnet address and the mask for an address r ange. Set any other re quired [...]

  • Page 118

    Configuring the Switch 3-78 3 Configuring a MAC ACL Command Attributes • Action – An ACL can con tain any com binatio n of permit or de ny rules. • Source/D estination Address Type – Use “Any” to include all possible ad dresses , “Host” to indicate a sp ecific MA C address , or “MAC ” to specify an address r ange with the Add re[...]

  • Page 119

    Access C ontrol Lis ts 3-79 3 We b – S pecify the act ion (i.e., Per mit or Deny ). S pecify the sou rce and/ or destinat ion addres ses. Sele ct the addre ss type (Any , Host, or MA C). If you sel ect “Host,” enter a specific a ddres s (e.g., 1 1- 22-33-4 4-55-66 ). If you s elect “MAC,” e nter a base addr ess and a hexidecima l bitmas k[...]

  • Page 120

    Configuring the Switch 3-80 3 Configuring ACL Masks Y ou must s pecify ma sks that con trol the order in which A CL rules are ch ecked . The swi tch incl udes two s yste m de fault mask s th at p as s/fi lter p acket s ma tchi ng t he permit /deny rule s specified i n an ingress AC L. Y ou can also config ure up to seve n user-de fined m asks f or [...]

  • Page 121

    Access C ontrol Lis ts 3-81 3 Configuring an IP ACL Mask This mask d efines the fields to chec k in the IP hea der . Command Usage • Masks t hat include an entry fo r a Layer 4 prot ocol sourc e port or dest ination port can only be applied to packets with a header l ength of exa ctly five byt es. Command Attributes • Source/D estination Ad dre[...]

  • Page 122

    Configuring the Switch 3-82 3 We b – Configu re the mask to match t he required rules in th e IP ingress or egress ACLs. S et the mask to check for a ny source or destinati on addres s, a specif ic host address , or an addres s range. Include oth er criteria to search for i n the rules, su ch as a protoc ol type or one of t he servic e types. Or [...]

  • Page 123

    Access C ontrol Lis ts 3-83 3 Configuring a MAC ACL Mask This mask d efines the fields to chec k in the packe t header. Command Usage Y ou must conf igu re a m ask f or an ACL rul e befo re y ou can bi nd i t to a por t. Command Attributes • Source/D estination Addr ess Type – Use “ Any ” to ma tch a ny addr ess , “Ho st” t o specify t [...]

  • Page 124

    Configuring the Switch 3-84 3 CLI – This e xample s hows how to c reate an Ingres s MA C ACL and b ind it to a port . You can the n see that th e order of th e rules have be en chan ged by the mask. Binding a Port to an Access Control Lis t After configur ing the Acce ss Cont rol Lists (ACL) , you should bi nd them t o the ports tha t need to fi [...]

  • Page 125

    Port Configurati on 3-85 3 We b – Click Sec urity , ACL, P ort Bi nding. Ma rk the Enab le field for the port yo u wan t to bind to an ACL for ingre ss or egres s traffic, select the r equired ACL f rom the drop-do wn list, then click Apply . Figure 3 -51 A CL Port B inding CLI – This examp les assign s an IP and M AC ingres s ACL to port 1, an[...]

  • Page 126

    Configuring the Switch 3-86 3 • Autonegotiation – Shows if auto-neg otiation is e nabled for disable d. (This s etting is fixed at “Di sabled” f or all 10G por ts.) • Trunk Me mber 8 – Sh ows if port is a tru nk member . • Creation 9 – Shows if a tru nk is manual ly configure d or dynamic ally set via LACP . We b – Click Por t, Po[...]

  • Page 127

    Port Configurati on 3-87 3 • LACP – Shows if LACP is enab led or disab led. • Port secu rity – Shows if po rt security is enabled or di sabled. • Max MAC count – Sho ws the ma ximum num ber of MAC addres s that ca n be learned by a port. (0 - 102 4 address es) • Port secu rity actio n – Shows t he respon se to take when a secur ity [...]

  • Page 128

    Configuring the Switch 3-88 3 Configuring I nterface Connections Y ou ca n use t he Port C onfigur ation or T runk C onfigur ation page to ena ble/disa ble an interface, set auto-ne gotiation an d the interfac e capabilitie s to advertise, or manually fix the speed and duplex m ode. Note: Interface settings for the management port can only be confi[...]

  • Page 129

    Port Configurati on 3-89 3 We b – Cli ck P ort, Por t Conf ig urat ion o r T runk Con fig ura tion. Modi fy the requ ired interface settings, and click Apply . Figure 3-5 3 Por t - Port Co nfigur ation CLI – Select the interface, and then ente r the required settings. Console(config)#interface ethernet 1/8 4-125 Console(config-if)#description R[...]

  • Page 130

    Configuring the Switch 3-90 3 Creating Tr unk Groups Y ou can cr eate multi ple links bet ween de vices that work as one vir tual, aggr egate link. A por t trunk offers a dram atic incre ase in band width for net work segm ents where b ottlenec ks e xist, as well a s prov iding a fault-to lerant l ink b etween two switch es. Y ou can cr eate up to [...]

  • Page 131

    Port Configurati on 3-91 3 Statically Configuring a Trunk Command Usage • When co nfiguri ng stati c trunks, you m ay not be able to link sw itches of different types, dependi ng on the man ufactu rer’s implemen tation. However , note that th e static trunks on th is switch a re Cisco Ethe rChannel compatible. • To avoid cr eating a loop in t[...]

  • Page 132

    Configuring the Switch 3-92 3 CLI – This exampl e crea tes tr unk 1 wi th port s 1 and 2. Just connec t th ese port s to two static trun k ports on ano ther switc h to form a tru nk. Enabling LACP o n Selected Ports Command Usage • To avoid cr eating a loop in the netw ork, be sure you enabl e LACP bef ore conn ecting the ports, and also d isco[...]

  • Page 133

    Port Configurati on 3-93 3 Command Attributes • Member Li st (C urre nt) – Show s config ured trunk s (Unit, Port). • New – Include s entry field s for creatin g new trunk s. - Port – Port ident ifier. (Range : 1-8) We b – Click Po rt, LACP , C onfiguration . Select any of the switch po rts from the scroll-dow n por t list and cl ick Ad[...]

  • Page 134

    Configuring the Switch 3-94 3 Configuring LACP Pa rameters Dynami cally Creati ng a Port Chann el – Ports assigne d to a com mon port ch annel must meet the f ollowing c riteria: • Ports must have the same LACP System Priority. • Ports must have th e same LACP port Admin Key. • Howeve r, if the “port channel” Ad min Key is set (page 4-1[...]

  • Page 135

    Port Configurati on 3-95 3 We b – Click Po rt, LACP , Aggreg ation Po rt. Set the System Priority , Admi n Key , and Por t Pri orit y for the Por t Act or . Y ou can op tio nal ly con fig ure th ese set tin gs for the Por t Par tne r . (Be a ware that th ese se tt ings onl y af fect th e adm inis tra tive st ate of t he partner , and will not tak[...]

  • Page 136

    Configuring the Switch 3-96 3 CLI – The followi ng exam ple configur es LACP para meters for ports 1-6. Ports 1-4 are used as active me mbers of t he LAG , ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 4-125 Console(config-if)#lacp actor system-prio rity 3 4-140 Console(config-if)#lacp actor admin-key 1 20 4-141 Con[...]

  • Page 137

    Port Configurati on 3-97 3 Displaying LACP Port Cou nters Y ou can disp lay statistics f or LACP protocol me ssages . We b – Click Port, LACP , Port Counters Info rmation. Select a member port to disp lay the corres ponding informa tion. Figure 3 -57 L ACP - Por t Coun ters Inform ation CLI – The followi ng exam ple displays LACP c ounters fo r[...]

  • Page 138

    Configuring the Switch 3-98 3 Displaying LACP Settings and Status for the Lo cal Side Y ou can disp lay conf iguration s ettings an d the oper ational state for the local sid e of an link aggreg ation. T able 3-9 LACP Inte rnal Co nfiguratio n Info rmation Field Descr iption Oper Key Cu rrent o perational value o f the key for the aggregati on port[...]

  • Page 139

    Port Configurati on 3-99 3 We b – Click Port, LACP , Port Intern al Informati on. Select a port channel to display the corres ponding informa tion. Figure 3-58 LAC P - Po rt Internal Inform ation CLI – The followi ng exam ple displays the LACP configura tion settings and operat ional state for th e local side of port channel 1. Console#show lac[...]

  • Page 140

    Configuring the Switch 3-100 3 Displaying LACP Settings and Status for the Rem ote Side Y ou can disp lay conf iguration s ettings an d the oper ational state for the remote si de of an link ag gregatio n. We b – Click Por t, LACP , P ort Neighbo rs Informa tion. Select a por t channe l to display t he corres ponding in formation . Figure 3- 59 L[...]

  • Page 141

    Port Configurati on 3-101 3 CLI – The followi ng exam ple displays the LACP configura tion settings and operat ional state for th e remote side of port chann el 1. Setting Broadcast Storm Thresholds Broadca st storms may occu r when a de vice on yo ur network i s malfunc tioning, or if applicat ion progra ms are not we ll designe d or prope rly c[...]

  • Page 142

    Configuring the Switch 3-102 3 We b – Click Por t, Port Broad cast Contro l or Tr unk Broa dcast Con trol. Chec k the Enabled box f or any interfac e, set the th reshold, and c lick App ly . Figure 3 -60 P ort Broad cast C ontrol CLI – S pecify any i nterface , and then ent er the thre shold. The f ollowing disables broadca st storm control for[...]

  • Page 143

    Port Configurati on 3-103 3 Configuring Port Mirroring Y ou can m irror traffic from any source port to a target port for re al-time an alysis. Y ou can then attach a logic an alyzer o r RMON pr obe to the target port and s tudy the traffic crossing the source port in a comple tely unob trusive manner. Command Usage • Monitor port speed sh ould m[...]

  • Page 144

    Configuring the Switch 3-104 3 Configuring Rat e Limits This funct ion allows the netwo rk manager to control th e maximum rate for traffic transmi tted or recei ved on an in terface. R ate limiting i s configur ed on interfa ces at the edge o f a network to limit traffic into or ou t of the switch . T raffic that falls within the rate lim it is tr[...]

  • Page 145

    Port Configurati on 3-105 3 Showing Port Statistics Y ou can disp lay standa rd statistics on ne twork traffic fro m the Inte rfaces Grou p and Ethernet- like MIBs, as well as a detailed breakdown of traffic based on th e RMON MIB. Inter faces an d Ethernet- like statistics d isplay error s on the traffic passin g throug h each port. This inform at[...]

  • Page 146

    Configuring the Switch 3-106 3 Transmit Discard ed Packets The num ber o f outbou nd p ackets w hich w ere cho sen to be dis carded even though no errors had been detec ted to pre vent th eir being t ransmit ted. One poss ible rea son for di scardin g such a p acket could be t o free up buffer spa ce. Transmit Erro rs The numbe r of outb ound pack [...]

  • Page 147

    Port Configurati on 3-107 3 Received Frame s The total number of frames (bad, bro adcast and multi cast) recei ved. Broadcas t Frame s The total numbe r of good frames received t hat were d irected to the broadcas t addre ss. Note th at this does not include multicast packe ts. Multicast Frames The total num ber of go od fram es receive d that were[...]

  • Page 148

    Configuring the Switch 3-108 3 We b – Click Por t, Port St atistics. Sele ct the requ ired interfac e, and click Quer y . Y ou can also use the Refres h button at the bottom of the page to upd ate the sc reen. Figure 3 -63 P ort Statist ics[...]

  • Page 149

    Address T able Settings 3-109 3 CLI – Th is ex ampl e sh ows s ta tist ics for port 12. Address Table Settings Switche s store the add resses fo r all known devices. Thi s inform ation is used to pass traffic directly between the i nbound and outbound ports. All the ad dresses learned by monito ring traffic are stor ed in the dynam ic addres s ta[...]

  • Page 150

    Configuring the Switch 3-110 3 We b – Click Add ress T able, Static Addr esses. S pecify the inter face, the MAC addr ess and V LAN, t hen cli ck Ad d S tatic Addr ess . Figure 3 -64 S tatic Addr esses CLI – This exam ple adds an a ddress to the static addre ss table, but sets it to be deleted when t he switch is re set. Displaying the Addres s[...]

  • Page 151

    Address T able Settings 3-111 3 We b – C lick Addr ess T a ble, Dy namic Add resses. S pecify the s earch t ype (i.e., mark the Inte rf ace, MAC A ddres s, or VL AN ch eckbo x), sel ect the metho d of sort ing the displaye d address es, and th en click Q uery . Figure 3-6 5 Dy namic Add resse s CLI – This exam ple also dis plays the add ress ta[...]

  • Page 152

    Configuring the Switch 3-112 3 Changing the Aging Time Y ou can se t the aging time for entri es in the dyna mic add ress table. Command Attributes • Aging Status – Enab les/disa bles the aging funct ion. • Aging Time – The time afte r which a learned entry is disca rded . (Range: 10-1000000 seconds; Default: 300 sec onds) We b – Cli ck A[...]

  • Page 153

    Spanning Tree Algorithm Configurati on 3-113 3 Once a stable network top ology has been establ ished, all bri dges liste n for Hello BPDUs (Bri dge Protoco l Data Units) transmitt ed from the Root Bridge. If a bridge does not g et a Hello BPD U after a predefi ned interval (Maximum Age), the br idge assumes that t he link to the Root Bridge is down[...]

  • Page 154

    Configuring the Switch 3-114 3 new root po rt is select ed from am ong the de vice ports attached to the netwo rk. (Refer ences to “por ts” in this se ction mea n “interface s,” whic h includes both ports and trun ks.) • Hello Time – Interval (in seco nds) at whi ch the root device tran smits a configur ation mes sage. • Forward Delay[...]

  • Page 155

    Spanning Tree Algorithm Configurati on 3-115 3 • Root Forward Delay – The maximum time (in seconds ) this device will wait b efore changin g states (i. e., discarding to learnin g to forward ing). This dela y is requir ed because every de vice must receive in formatio n about topol ogy chang es befor e it starts t o forward fra mes. In addit io[...]

  • Page 156

    Configuring the Switch 3-116 3 Note: The current root por t and current root cost display as zero when this dev ice is not connected to the network. Configuring Globa l Settings Global s ettings ap ply to the entir e switch. Command Usage • Spannin g Tree Protoc ol 14 Uses RSTP for the inter nal state mac hine, but send s only 802 .1D BPDUs . Thi[...]

  • Page 157

    Spanning Tree Algorithm Configurati on 3-117 3 • Multiple S panning Tre e Protoco l - To a llow multipl e spanni ng trees t o operate ov er the ne twork, you must con figure a related se t of bridges w ith the same MSTP co nfiguration , allowing them to participat e in a spec ific set of sp anning tre e instances . - A span ning tree i nst ance c[...]

  • Page 158

    Configuring the Switch 3-118 3 • Forward Delay – The maximum time (in seconds) this d evice will wai t before changin g states (i. e., discarding to learnin g to forward ing). This dela y is requir ed because e very de vice must receive in formatio n about topol ogy chang es befor e it starts to forward frames. In addition, each port needs time[...]

  • Page 159

    Spanning Tree Algorithm Configurati on 3-119 3 We b – Click Spanning T ree, ST A, Configuratio n. Modify th e required attributes, an d click Apply . Figure 3- 68 STA Global Con figuration[...]

  • Page 160

    Configuring the Switch 3-120 3 CLI – Th is e xampl e en able s S panni ng T ree Pr ot ocol , se ts the mode t o MS T , and then configu res the ST A and MSTP paramet ers. Displaying Int erface Settings The S T A Por t Inform ation a nd ST A Trunk Informa tion pages display the c urrent status of ports and tru nks in the Spanning T ree. Field Attr[...]

  • Page 161

    Spanning Tree Algorithm Configurati on 3-121 3 • Desig nated Po rt – The port prior ity and numbe r of the po rt on the design ated bridging device thro ugh which this switch m ust com municat e with the root of the Span ning Tre e. • Oper Path Cost – The contribu tion of this port to the pa th cost of path s towards the sp anning tree root[...]

  • Page 162

    Configuring the Switch 3-122 3 These addi tional param eters are on ly displa yed for the CL I: • Admin stat us – Show s if this interfac e is enabled . • Exte rnal path cost – The path cost f or the IST. This parameter is used b y the STA to d etermin e the be st path b etwee n devic es. Theref ore, lo wer valu es shoul d be assi gned t o [...]

  • Page 163

    Spanning Tree Algorithm Configurati on 3-123 3 CLI – This examp le shows t he ST A attributes for por t 5. Configuring I nterface Settings Y ou can co nfigure RSTP and MSTP attribu tes for spec ific interface s, including port priority , path cost, link typ e, and edge port. Y ou may use a different pr iority or path cost for por ts of the same m[...]

  • Page 164

    Configuring the Switch 3-124 3 The follow ing interfa ce attribut es can be con figured: • Spanning Tree – Ena bles/disabl es STA on th is interfac e. (De fault: Ena bled) • Priority – Defines th e priority us ed for this p ort in the Spanni ng Tree Protocol. If the path cost for all ports on a switch are the sa me, the por t with the highe[...]

  • Page 165

    Spanning Tree Algorithm Configurati on 3-125 3 • Migratio n – If at any time the switch det ects STP BPDU s, includ ing Configura tion or Topol ogy Change N otificati on BPDUs, it will autom atically set the s electe d interface t o forced S TP-comp atible mo de. Ho wever, you c an also u se the Pr otocol Migratio n button to man ually re-che c[...]

  • Page 166

    Configuring the Switch 3-126 3 T o use multipl e spanning tre es: 1. Set the spanning tree type to MSTP (ST A Configuratio n, page 3-1 16). 2. Enter the spanning tree prior ity for the sele cted MST in stance (MSTP VL AN Config uration). 3. Add the VLANs that will share this MSTI (MSTP VLAN Configuration). Note: All VLANs are automatically added to[...]

  • Page 167

    Spanning Tree Algorithm Configurati on 3-127 3 We b – Click Spanning T ree, MSTP , VLAN Confi guration . Select an ins tance identifier fro m the list, set the instance prior ity , an d click Apply . T o add th e VLAN memb ers to an M STI instan ce, enter the instan ce identifie r , the VLA N identif ier , and click Add. Figure 3 -71 M STP VLA N [...]

  • Page 168

    Configuring the Switch 3-128 3 CLI – This examp le sets the priority for M STI 1, and adds VLANs 1-5 to this MSTI. ----------------------------------------------------- ---------- Eth 1/ 7 information ----------------------------------------------------- ---------- Admin status: enabled Role: master State: forwarding External admin path cost: 100[...]

  • Page 169

    Spanning Tree Algorithm Configurati on 3-129 3 Displaying Int erface Settings for MSTP The MSTP Po rt Informa tion and MS TP T runk Infor mation pages di splay the cu rrent status of por ts and trunks in the sel ected MS T instance. Field Attributes MST Instan ce ID – Inst ance ide ntifier to confi gure. (Rang e: 0-409 4; Default : 0) The other a[...]

  • Page 170

    Configuring the Switch 3-130 3 Configuring I nterface Settings for MSTP Y ou can co nfigure the ST A interface settings for an M ST Instance us ing the MSTP Port Confi guration and MSTP Trunk Con figuration pages . Field Attributes The follow ing attribu tes are read-on ly and can not be chan ged: • Port – Port i dentifier. (R ange: 1-8) • ST[...]

  • Page 171

    Spanning Tree Algorithm Configurati on 3-131 3 Protoco l is detecting network l oops. Wh ere more t han one por t is assigne d the highest pr iority, the po rt with lowe st nume ric identifier will be enable d. • Default: 128 • Range: 0- 240, in ste ps of 16 • Admin MST Path Cost – This parameter is used by the MSTP to determine the best pa[...]

  • Page 172

    Configuring the Switch 3-132 3 VLAN Configuration IEEE 802.1Q VLANs In large netw orks, rou ters are use d to isolat e broadc ast traffic for each su bnet into separate dom ains. T his sw itch provi des a s imilar s ervice at Layer 2 by using VLANs to organ ize any group of networ k nodes into separate broad cast dom ains. VLAN s confine br oadca s[...]

  • Page 173

    VLAN Configurati on 3-133 3 Note: VLAN-tagged frames c an pass throug h VLAN-awa re or VLAN-unaw are network interconnection devices, but the VLAN tags should be stripped off before passing it on to any en d-node host th at does not support VLAN t agging. VLAN Classification – When the swi tch rece ives a frame, it classif ies the fram e in one o[...]

  • Page 174

    Configuring the Switch 3-134 3 these hos ts, and core swi tches in th e network , enable GV RP on the link s betwe en these dev ices. Y ou should also determin e securit y boundarie s in the netwo rk and disable G VRP on th e boundar y ports to prevent advertis ements from be ing propagate d, or forbid thos e ports from joining restric ted VLA Ns. [...]

  • Page 175

    VLAN Configurati on 3-135 3 Enabling or Dis abling GVRP (Gl obal Settin g) GARP VLAN Registra tion Protoco l (GVRP) defines a way for swit ches to excha nge VLAN info rmat ion i n orde r to re gist er VL AN memb ers on port s acr oss th e netw ork . VLANs ar e dynamic ally config ured based on join mes sages issued by host device s and pro pagated [...]

  • Page 176

    Configuring the Switch 3-136 3 CLI – Enter the fo llowing co mmand. Displaying Current VLANs The VLAN Cu rrent T a ble show s the curr ent port mem bers of each VLAN and whether or not the port supp orts VLAN tagging. Por ts assigned t o a large VLAN group th at crosses s everal sw itches shou ld use VLAN tagging. How ever , if you just want to c[...]

  • Page 177

    VLAN Configurati on 3-137 3 Command Attributes (CLI) • VLAN – ID of con figured VL AN (1-4094, n o leading zeroe s). • Type – Show s how this VLAN was added to the switch. - Dynamic : Automa tically le arned v ia GVR P. - Static : Added as a s tatic ent ry. • Name – Name of t he VLAN (1 to 3 2 characters). • Status – Show s if this [...]

  • Page 178

    Configuring the Switch 3-138 3 We b – Click VLA N, 802.1Q VLAN, St atic List. T o create a ne w VLAN, ente r the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then c lic k Ad d. Figure 3 -77 V LAN Static List - Creating VLANs CLI – Th is e xampl e cr eate s a ne w VLA N. Adding Static Members to VLANs (VLAN In dex) U[...]

  • Page 179

    VLAN Configurati on 3-139 3 • Trunk – Trunk identi fi er. • Memb ership Type – Select VLAN mem bership for each interfac e by marking th e appropr iate radio bu tton for a po rt or trunk: - Tagged : Interface is a mem ber of the VLAN. All packet s transmit ted by the por t wil l be tagg ed, that is, car ry a tag a nd ther efor e ca rry V LA[...]

  • Page 180

    Configuring the Switch 3-140 3 CLI – The followin g exam ple adds tagged and untagged ports to VLAN 2. Adding Static Members to VLANs (Po rt Index) Use the VLAN S tatic Membership by Port menu to ass ign VLAN gr oups to the selected interface as a tagged me mber . Command Attributes • Inte rfac e – Port (1-8) or tr unk identif ier. • Member[...]

  • Page 181

    VLAN Configurati on 3-141 3 Configuring VLAN Be havior for Interfac es Y ou can conf ig ure VL AN beh avio r for sp eci fic inte rfac es, i ncl udin g the de fau lt VL AN identifier ( PVID), acce pted fram e types, ingr ess filtering , GVRP status , and GARP time rs . Command Usage • GVRP – GA RP VLAN Registratio n Protocol defines a way f or s[...]

  • Page 182

    Configuring the Switch 3-142 3 Leave or Leave All mess age has b een issu ed, the applican ts can r ejoin bef ore the port actua lly leave s the group. (Range: 60 -3000 cen tiseconds ; Default : 60) • GARP LeaveAll Timer 18 – The interval betwe en sendin g out a LeaveAl l query messag e for VLAN group pa rticipa nts and the port leav ing the gr[...]

  • Page 183

    VLAN Configurati on 3-143 3 CLI – Th is examp le sets por t 3 to ac cept o nly tagged f rames , assign s PVID 3 as t he nati ve VL AN ID, ena ble s G VR P , se ts t he GA RP t ime rs, an d t hen sets th e sw itc hpo rt mode to hybr id. Configuring Pri vate VLANs Private VLA Ns provid e port-bas ed securit y and isolati on betwee n ports within th[...]

  • Page 184

    Configuring the Switch 3-144 3 Configuring Upli nk and Downl ink Ports Use the P riv ate V LAN Link S t atu s p age to s et po rt s as d ownl ink or u plin k po rt s. Ports design ated as d ownlin k ports can no t commun icate w ith any ot her ports on t he switch except for the uplink ports. U plink por ts can c ommuni cate wi th any other po rts [...]

  • Page 185

    VLAN Configurati on 3-145 3 Command Usage T o configu re pro tocol-based VLANs , follow thes e steps: 1. First con figure VLAN groups for the protoc ols you w ant to use (page 3- 137). Although not m andat ory , w e sug gest c onfiguring a separ ate VLA N for each major pr otocol run ning on yo ur network. Do not add po rt membe rs at this time . 2[...]

  • Page 186

    Configuring the Switch 3-146 3 Mapping Protocols to VLANs Map a protocol group to a VLAN fo r each interf ace that will p articip ate in the group. Command Usage • When c reating a pro tocol-bas ed VLAN , only assig n interfa ces usi ng this configur ation scr een. If yo u assign i nterfaces using a ny of the ot her VLAN m enus such as th e VLAN [...]

  • Page 187

    Class of Servi ce Configurati on 3-147 3 Class of Service Config uration Class of Service (CoS) allows you to specify w hich data packets ha ve greater precede nce when traffic is buffered in the sw itch due to congestion . This switch supports Co S with eight priority que ues for each port. Data packets in a por t’s high-priorit y queue will be [...]

  • Page 188

    Configuring the Switch 3-148 3 We b – Click Priority , Default Port Pri ority or Default T runk Pri ority . Modify the default priority for any inte rface, then c lick Apply . Figure 3-8 5 De fault Port Priorit y CLI – Th is e xampl e as sign s a de faul t p rior ity of 5 to port 3. Console(config)#interface ethernet 1/3 4-125 Console(config-if[...]

  • Page 189

    Class of Servi ce Configurati on 3-149 3 Mapping CoS Values to Egress Que ues This switc h process es Class of Ser vice (Co S) priority tagge d traffic by using eigh t priority qu eues for each port , with servic e schedul es based on strict or Weigh ted Round Ro bin (WRR ). Up to eight se parate traffic priorit ies are define d in IEEE 802.1p. The[...]

  • Page 190

    Configuring the Switch 3-150 3 We b – Click Priority , Traf fic Cla sses. Assign prio rities to the t raff ic classes (i .e., output que ues), then c lick Apply . Figure 3- 86 Traffic Clas ses CLI – Th e fo llo wing e xamp le s hows how t o ch ange t he C oS as sign ment s to a one-to -one mappi ng. * Mapping specif ic values for Co S prioritie[...]

  • Page 191

    Class of Servi ce Configurati on 3-151 3 Selecting th e Queue M ode Y ou can se t the switc h to service the queues based on a st rict rule that requires all traffic in a higher pr iority queue to be proce ssed bef ore lower pr iority queue s are serviced, or use Weight ed Round -Robin (WR R) queui ng that spe cifies a re lative weight o f each que[...]

  • Page 192

    Configuring the Switch 3-152 3 We b – Click Pr iority , Queue Sched uling. Selec t the inte rface, highli ght a traffic class (i.e., output queue), ent er a weigh t, then click App ly . Figure 3- 88 Qu eue S cheduling CLI – The followi ng exam ple shows how to assi gn WRR wei ghts to each of the priority qu eues. Console(config)#queue bandwidt [...]

  • Page 193

    Class of Servi ce Configurati on 3-153 3 Layer 3/4 Priori ty Settings Mapping Layer 3/4 Pr iorities to C oS Values This swi tch suppo rts several com mon me thods of prio ritizing l ayer 3/4 traffic to m eet applicat ion requirem ents. Traff ic prior ities can be sp ecified in t he IP heade r of a fra me, usin g th e pr iori ty bit s in the T ype o[...]

  • Page 194

    Configuring the Switch 3-154 3 Mapping IP Preceden ce The T ype of Se rvi ce (T oS) oc tet in the I Pv4 hea der in clud es thr ee pre ceden ce bit s defining eight different priority leve ls ranging from highes t priority for network control pac ket s to lo west pri orit y fo r ro uti ne t raf fi c. T he de faul t I P Pr ecede nce valu es ar e mapp[...]

  • Page 195

    Class of Servi ce Configurati on 3-155 3 CLI – The followi ng exam ple globally enables IP Pr ecedence service on the switch , maps IP Prec edence va lue 1 to CoS v alue 0 (on por t 1), and then di splays the IP Pre ceden ce set ting s. * Mapping specif ic values for IP Precedence is implement ed as an interfac e configuration command, but any ch[...]

  • Page 196

    Configuring the Switch 3-156 3 We b – Clic k P rior ity , IP DS CP Prio rit y . Sel ect an en try from the DS CP table , e nter a value in th e Class of Serv ice V alu e field, then click Apply . Figure 3 -91 IP DSCP P riority CLI – The followi ng exam ple globall y enables D SCP Priority se rvice on the switch, maps DSC P value 0 to CoS value [...]

  • Page 197

    Class of Servi ce Configurati on 3-157 3 Mapping IP Port Priority Y ou can also map netwo rk applic ations to Cl ass of Ser vice value s based on th e IP port numb er (i.e., TCP/UDP port num ber) in the frame he ader . Some of th e more common TC P service ports include: HT TP: 80, FTP: 21, T elnet: 23 an d POP3: 1 1 0. Command Attributes • IP P [...]

  • Page 198

    Configuring the Switch 3-158 3 CLI – The followin g exampl e globally ena bles IP Po rt Priority serv ice on the swi tch, maps HTTP traf fic ( on port 1) to CoS valu e 0, and then displays the IP Port Priorit y settings . * Mapping specif ic values for IP P ort Priority i s implemented as an i nterface configuration command, but any changes will [...]

  • Page 199

    Mult ica st Filt eri ng 3-159 3 We b – Click Priority , ACL CoS Priority . Select a port, select an ACL rule, specify a CoS priority , then click Add. Figu re 3- 94 ACL C oS Pri ori ty CLI – Th is ex ampl e as sign s a C oS val ue o f ze ro to pac ket s ma tch ing r ules wit hi n the specif ied ACL on po rt 1. Multicast Filtering Multicast ing [...]

  • Page 200

    Configuring the Switch 3-160 3 multicast switch/r outer to ensu re that it will conti nue to receiv e the multica st service . This procedure is called multicast filtering. The purp ose o f IP mult icas t f ilt erin g is to op ti mize a swi tch ed net wor k’ s performance , so multicast packet s will o nly be forward ed to those ports co ntaining[...]

  • Page 201

    Mult ica st Filt eri ng 3-161 3 Configuring IG MP Snooping and Query Pa rameters Y ou can co nfigure the sw itch to for ward mult icast traffic intel ligently . Based on the IGMP quer y an d repo rt m essa ges, the swit ch f orwar ds tr af fi c onl y to the port s t hat request multicast tr affic. This preve nts the switch from broa dcasting the t [...]

  • Page 202

    Configuring the Switch 3-162 3 We b – Click IGMP Snooping, IGMP Co nfiguration. Adjust th e IGMP settings as required , and then click Apply . (The default set tings are shown belo w .) Figure 3 -95 I GMP Conf igurati on CLI – Th is examp le modi fies the settings for m ulticast filtering, an d then displa ys the current status . Console(config[...]

  • Page 203

    Mult ica st Filt eri ng 3-163 3 Displaying Interfaces Attac hed to a Mu lticast Router Multicast routers t hat are attached to ports on the swi tch use inf ormation ob tained fro m IGM P , al ong wit h a m ulti cast ro utin g pr otoc ol s uch as DV MRP or PIM , to supp ort IP m ulti cast ing acr oss t he I nter net . Thes e ro uter s may be dynami [...]

  • Page 204

    Configuring the Switch 3-164 3 Specifying Static Inter faces for a M ulticast R outer Depend ing on you r networ k connect ions, IGM P snoopi ng may n ot always be able to locate the IGMP quer ier . Therefore, if the I GMP querier is a known m ulticast rout er/ swi tch c onnec ted over the n etwor k to a n int erf ace ( port or tr unk) on yo ur swi[...]

  • Page 205

    Mult ica st Filt eri ng 3-165 3 Displaying Port Members o f Multicast Se rvices Y ou can disp lay the po rt memb ers assoc iated with a spe cified VLA N and mu lticast serv ice. Command Attribute • VLAN ID – Sele cts the VLAN fo r which to displ ay port me mbers. • Multicast IP Address – The IP address for a specific multicast serv ice. •[...]

  • Page 206

    Configuring the Switch 3-166 3 Assigning Po rts to Mult icast Services Multicast filtering ca n be dynam ically conf igured using I GMP Snoop ing and IGM P Query me ssages as describ ed in “Conf iguring IGMP Snoop ing and Que ry Parame ters” on page 3 -161. For ce rtain applica tions that r equire tighter contro l, you may ne ed to st at ical l[...]

  • Page 207

    Configuring Doma in Name Service 3-167 3 Configuring Domain Name Service The Domain Naming System ( DNS) service on thi s switch allows host names to be mapped to IP addre sses using s tatic table entrie s or by redirect ion to othe r name server s on the netw ork. Wh en a client de vice desi gnates thi s switch as a DNS server , the client will at[...]

  • Page 208

    Configuring the Switch 3-168 3 We b – Select DN S, General C onfigurat ion. Set the def ault domai n name or list of domain nam es, spe cify one or more nam e servers t o use to use for address resolution , enable domain lo okup status, a nd click Appl y . Figure 3- 100 D NS Gene ral Con figuration CLI - Th is exa mple set s a defaul t do main na[...]

  • Page 209

    Configuring Doma in Name Service 3-169 3 Configuring Sta tic DNS Host to Address Entries Y ou can m anually co nfigure static en tries in the D NS table that are used to map domain names to IP addresse s. Command Usage • Static ent ries may be used for loc al devices connect ed directly t o the attach ed network , or for comm only use d resourc e[...]

  • Page 210

    Configuring the Switch 3-170 3 We b – Select DN S, S tatic Host T a ble. Enter a hos t name and on e or more corres ponding a ddres ses, the n click Apply . Figu re 3 -101 DN S Stat ic Host T able CLI - Th is ex ampl e map s t wo ad dres s to a hos t na me, a nd th en confi gur es an ali as host nam e for the sam e add resses. Console(config)#ip [...]

  • Page 211

    Configuring Doma in Name Service 3-171 3 Displaying the DNS Cache Y ou can disp lay entri es in the DNS cache tha t have been learned via the designa ted name se rvers. Field Attributes • No – The entry nu mber for ea ch resour ce record. • Flag – Th e flag is alway s “4” indicat ing a cach e entry and th erefore unrel iable. • Type ?[...]

  • Page 212

    Configuring the Switch 3-172 3 CLI - This examp le displays all the reso urce reco rds learne d from the designated name ser vers. Console#show dns cache 4-216 NO FLAG TYPE IP TTL DOMAIN 0 4 CNAME 207.46.134.222 51 www.microso ft.akadns.net 1 4 CNAME 207.46.134.190 51 www.microso ft.akadns.net 2 4 CNAME 207.46.134.155 51 www.microso ft.akadns.net 3[...]

  • Page 213

    4-1 Chapter 4: Command Line Interface This chap ter describe s how to use the Com mand Line Interface (CLI). Using the Command Line Interface Accessing the CLI When acc essing t he manag ement interface fo r the switch over a direc t connecti on to the serve r ’s console por t, or via a T elnet con nection, the switch can be manag ed by enter ing[...]

  • Page 214

    Command Line I nterface 4-2 4 T o access the switch thr ough a T elnet ses sion, you m ust first se t the IP addr ess for the switch , and set the default gat eway if yo u are manag ing the swi tch from a different IP su bnet. For exa mple, If your cor porate net work is con nected to an other ne twork outside your office or to the Int ernet, y ou [...]

  • Page 215

    Entering Co mmands 4-3 4 Entering Commands Thi s sect ion de scri bes how to ente r CLI co mmand s. Keywords and Argument s A CLI comma nd is a ser ies of keywords and argum ents. Keywo rds identify a comm and, and argu ments spec ify configu ration parame ters. For exam ple, in the comma nd “show int erf aces s ta tus ethe rnet 1/5 ,” show int[...]

  • Page 216

    Command Line I nterface 4-4 4 Showing Com mands If you ente r a “?” at the co mmand pr ompt, th e system w ill display th e first leve l of keywords for the curr ent comm and clas s (Normal Exec or Privil eged Exec) or configuration c lass (Global, ACL, DHCP , I nterface, Line, Router , VLAN Database, or MSTP). Y o u can also d isplay a list of[...]

  • Page 217

    Entering Co mmands 4-5 4 Partial Keyword Lookup If you termi nate a partial keyw ord with a question mark, alte rnatives tha t match th e initial lette rs are provi ded. (Re member no t to leave a space between t he comman d and quest ion mark.) For examp le “ s? ” shows all the keywor ds starting with “s .” Negating t he Effect of Commands[...]

  • Page 218

    Command Line I nterface 4-6 4 Exec Commands When you open a new console se ssion on the switch wi th the user na me and password “g uest,” the sys tem enter s the Norma l Exec com mand mod e (or guest mode), di splaying the “Cons ole>” comm and pro mpt. Only a limited num ber of the comm ands are av ailable in thi s mode. Y ou can access[...]

  • Page 219

    Entering Co mmands 4-7 4 T o enter th e Global Configu ration m ode, e nter the comm and co nfigure in Privileged Exec mode. The sys tem prompt will change to “Console(c onfig)#” which g ives you access pr ivilege to all Global Con figurat ion comm ands. T o enter the other modes, at the configu ration pr ompt type one of the follow ing comm an[...]

  • Page 220

    Command Line I nterface 4-8 4 Command Groups The syst em com mands can be b roken do wn into the fun ctional gro ups shown below . Ctrl -L Repe ats cu rren t co mmand line o n a ne w lin e. Ctrl-N Enters the next c ommand l ine in t he history buffer . Ctrl-P Enters the last co mman d. Ctrl -R Repe ats curr ent co mman d lin e on a ne w li ne. Ctrl[...]

  • Page 221

    Line Commands 4-9 4 The access mode sho wn in the fo llowing table s is indicate d by these ab breviation s: PE (Privileg ed Exec) VC (VLAN Database C onfigur ation) NE (Nor mal Exec ) MST (Mul tiple S panning Tree) GC (Global Configur ation) LC (Line Co nfigurat ion) IC ( Interfa ce Conf iguration) ACL (Access Control List Configuration) Line Comm[...]

  • Page 222

    Command Line I nterface 4-10 4 line This comm and id entifies a s pecific lin e for con figuration , and to process subseque nt line conf iguration co mmand s. Syntax line { conso le | vty } • console - Console t erminal line . • vty - Vi rtua l ter min al fo r r emot e cons ole acce ss (i .e. , Tel net ). Default Sett ing Ther e is no defa ult[...]

  • Page 223

    Line Commands 4-11 4 login This c ommand enable s passwo rd che cking at logi n. Use the no form to disa ble password checking and allow con nectio ns without a password. Syntax log in [ local ] no login local - Select s local password checking. Authentication i s based on the user name specified with the username command. Default Sett ing login lo[...]

  • Page 224

    Command Line I nterface 4-12 4 passwo rd This comm and sp ecifies the password for a line . Use the no form to re move the password . Syntax pas sw o r d { 0 | 7 } password no password •{ 0 | 7 } - 0 means pl ain pass word, 7 mea ns encr ypted pas sword • passw ord - Ch aract er strin g th at sp eci fie s the l in e pass wor d. (Maxim um lengt [...]

  • Page 225

    Line Commands 4-13 4 Default Sett ing • CLI: D isable d (0 s econds) • Telnet: 600 s eco nds Command Mode Line Co nfigurat ion Command Usage • If a lo gin atte mpt is no t de tect ed wi thi n the ti meout inte rva l, t he con nec tion is termin ated for the ses sion. • This c omman d appl ies to both t he lo cal co nsole a nd Tel net co nne[...]

  • Page 226

    Command Line I nterface 4-14 4 passwo rd-thresh This command sets the password intrusi on threshold which limits the number of failed logo n attempts. Use the no form to remov e the thresh old valu e. Syntax password -thre sh [ thresh old ] no password-thr esh threshold - The number of allowed password at tempts. (Range: 1- 120; 0: no threshold) De[...]

  • Page 227

    Line Commands 4-15 4 Example T o set the sil ent time to 60 seconds, enter t his command: Related Commands passw ord-th resh (4-1 4) databits This comm and sets the num ber of d ata bits per character that are inte rpreted and generat ed by the cons ole port. Use the no f orm to resto re the defaul t value. Syntax da tab i ts { 7 | 8 } no databit s[...]

  • Page 228

    Command Line I nterface 4-16 4 parity This comm and define s the gene ration of a parity bit. Use the no for m to r es tore th e default se tting. Syntax par i t y { none | even | odd } no parity • none - No parity • even - Even parity • odd - Odd parit y Default Sett ing No par ity Command Mode Line Co nfigurat ion Command Usage Commu nicati[...]

  • Page 229

    Line Commands 4-17 4 Command Usage Set the speed to match th e baud rate of the device con nected t o the serial port. Som e baud rates avai lable on de vices co nnected to the po rt might no t be support ed. The system i ndicates i f the spee d you s elected is n ot suppo rted. If you sel ect the “ auto” o ption, the switch will aut omatica ll[...]

  • Page 230

    Command Line I nterface 4-18 4 Example Related Commands show ss h (4-39 ) show us ers (4-61) show lin e This command dis plays the termin al line’ s paramete rs. Syntax show line [ con sole | vty ] • console - Console t erminal line . • vty - Vi rtua l ter min al fo r r emot e cons ole acce ss (i .e. , Tel net ). Default Sett ing Shows all li[...]

  • Page 231

    General Co mmands 4-19 4 General Commands enab le Thi s com mand a cti vate s Pri vil eged Exec mode . In pri vile ged mode, addi tio nal comm ands are availabl e, and cer tain comm ands di splay a dditional information . See “Unde rstanding C omma nd Modes” on page 4-5 . Syntax enable [ level ] leve l - Privilege level to log i nto the device.[...]

  • Page 232

    Command Line I nterface 4-20 4 Related Commands disable (4 -20) enable pass word (4-2 6) disab le This command r eturns to Normal Ex ec mode from priv ileged mode. In normal access m ode, y ou can onl y disp lay basic informa tion on the s witch' s configu ration or Etherne t statistics. T o gain acce ss to all comm ands, you must use the priv[...]

  • Page 233

    General Co mmands 4-21 4 show his tory This comm and sh ows the con tents of the com mand hi story buffer . Default Sett ing None Command Mode Normal Exec, Privileged Exec Command Usage The hist ory buf fer si ze is fix ed at 10 E xecut io n com mands and 10 Configur ation com mands. Example In this exa mple, the sho w histor y comm and lists the c[...]

  • Page 234

    Command Line I nterface 4-22 4 Command Usage Thi s comma nd res et s the ent ire syste m. Example This examp le show s how to res et the switch: end This comm and retur ns to Privileged Exec mode . Default Sett ing None Command Mode Global Co nfigurati on, Interfac e Configur ation, Line Con figurat ion, VLAN Database C onfigura tion, and Mult iple[...]

  • Page 235

    System Management Commands 4-23 4 quit This c ommand exits the configu ration program. Default Sett ing None Command Mode Normal Exec, Privileged Exec Command Usage The qui t and exit comma nds can both exi t the configu ration pr ogram. Example Thi s exam ple sh ows how t o quit a C LI ses sion : System Management Co mmands Thes e co mmand s are u[...]

  • Page 236

    Command Line I nterface 4-24 4 Device Designation Commands prompt Thi s com mand c usto miz es t he CL I pro mpt. Use the no form to restor e the defa ult prompt. Syntax prompt string no prompt string - Any alphanum eric string to use for th e CLI prompt. (Maximum length: 255 char acters) Default Sett ing Console Command Mode Global Co nfigurati on[...]

  • Page 237

    System Management Commands 4-25 4 Example User Access Commands The bas ic com mands requir ed for mana gement a ccess are listed in this s ection . This switc h also incl udes othe r options for password chec king via th e console or a T e lnet conne ction (page 4-9 ), user au thentica tion via a remo te authent ication se rver (page 4-68), and hos[...]

  • Page 238

    Command Line I nterface 4-26 4 Command Mode Global Co nfigurati on Command Usage The encry pted passwor d is requir ed for compatib ility with leg acy password settings (i.e., plain t ext or e ncryp ted) w hen rea ding the confi guration file d uring system bo otup or when dow nloading t he config uration f ile from a T FTP serve r . There is no ne[...]

  • Page 239

    System Management Commands 4-27 4 Example Related Commands enable (4-19) aut hent icat ion en able (4- 70) IP Filt er Commands managem ent This comm and speci fies the client IP addr esses tha t are allowed m anage ment access t o the switch through v arious prot ocols. Use the no form to resto re the default se tting. Syntax [ no ] management { al[...]

  • Page 240

    Command Line I nterface 4-28 4 • When ent ering addr esses for the sa me group (i.e., SNMP, web or Telnet ), the switch will not accept overlapping address ranges. When ent ering addresses for diffe rent groups, t he switch will accept overlapping address ranges. • You can not delete an individual address from a specif ied range. You must delet[...]

  • Page 241

    System Management Commands 4-29 4 Web Server Commands ip http port This comm and speci fies the TCP port numbe r used by t he web brow ser interf ace. Use t he no form to us e the defaul t port. Syntax ip http port port- number no ip http port port-number - The TCP p ort to be used by the browser interface. (Range: 1-65535) Default Sett ing 80 Comm[...]

  • Page 242

    Command Line I nterface 4-30 4 Example Related Commands ip htt p port (4-29) ip http sec ure-server This comm and enabl es the secur e hypertex t transfe r protocol (HTT PS) over the Secure Socket Layer (SSL ), provi ding sec ure acc ess (i.e ., an en crypted c onnec tion) to the swit ch’s web interfac e. Use the no form to di sable this fu nctio[...]

  • Page 243

    System Management Commands 4-31 4 Example Related Commands ip http secu re-port (4-31) copy tftp https-certif icate (4-63) ip http sec ure-port This comm and specif ies the UD P port number us ed for HTTP S connectio n to the switch’ s web interface . Use the no form to re store the de fault port. Syntax ip http secure- port port_n umb er no ip h[...]

  • Page 244

    Command Line I nterface 4-32 4 Telnet Ser ver Commands ip telnet s erver This command allows this device to be monitored or configured from T elnet. It also specifie s the TCP port num ber used by the T e lnet interfac e. Use the no form wit hout the “port ” keyword to disable thi s function. Use the no from with the “port” keyword to use t[...]

  • Page 245

    System Management Commands 4-33 4 Thi s sect ion de scri bes the comma nds us ed to co nfig ure th e SSH ser ver . Howe ver , note that y ou also nee d to install a SSH cl ient on the ma nageme nt station whe n using thi s protocol to configure t he switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients. The SSH se rver on th is swi[...]

  • Page 246

    Command Line I nterface 4-34 4 station and place the ho st publ ic key in it. An entry for a public key in the know n hosts file wou ld appea r similar to the f ollowing example : 10.1.0 .54 1024 35 156 84995401867 6692593 3394677505 4617325 31367489083 6547254 15020245 5931998 68544358361 6519999 2332978176 6065830956 10 8259132 12890233 76546801 [...]

  • Page 247

    System Management Commands 4-35 4 ip ssh se rver This comm and enable s the Secure She ll (SSH) serve r on this switc h. Use the no form to disa ble this se rvice. Syntax [ no ] i p ssh server Default Sett ing Disabled Command Mode Global Co nfigurati on Command Usage • The SSH server suppo rts up to fou r client sessi ons. The max imum number of[...]

  • Page 248

    Command Line I nterface 4-36 4 Command Usage The ti meo ut specifi es the interval the switch will wait fo r a response from th e client duri ng the SSH neg otiation pha se. Once an SSH session has been establishe d, the timeo ut for user inpu t is controlle d by the exec -timeout comm and for vty se ssions. Example Related Commands exec-tim eout ([...]

  • Page 249

    System Management Commands 4-37 4 Default Sett ing 768 bits Command Mode Global Co nfigurati on Command Usage • The serve r key is a priv ate key that is never sha red outsi de the swit ch. • The host ke y is shared w ith the SSH c lient, and is fixe d at 1024 bit s. Example delete pub lic-key This comm and de letes the spec ified user ’ s pu[...]

  • Page 250

    Command Line I nterface 4-38 4 Command Usage • This co mmand stores t he host key pai r in mem ory (i.e. , RAM) . Use th e ip ssh save ho st-key co mm and to sa ve th e ho st key p air t o fla sh m emo ry. • Some S SH client pr ograms aut omatic ally add the public key to t he known hosts file as part of the con figurat ion process . Otherwise [...]

  • Page 251

    System Management Commands 4-39 4 ip ssh sa ve host- key This comm and saves the host key from RA M to flash m emory . Syntax ip ssh save ho st-key [ dsa | rsa ] • dsa – DSA ke y type. • rsa – RSA key type. Default Sett ing Saves both the DSA an d RSA key . Command Mode Privileged Exec Example Related Commands ip ssh crypto host -key g ener[...]

  • Page 252

    Command Line I nterface 4-40 4 show pub lic-key Thi s com mand s hows the publ ic ke y fo r th e sp ecifi ed u ser or fo r t he ho st. Syntax show p ublic-key [ user [ usernam e ]| host ] username – Name of an SSH user . (Range: 1-8 characters) Default Sett ing Shows all public keys . Command Mode Privileged Exec Command Usage • If no para mete[...]

  • Page 253

    System Management Commands 4-41 4 • When a n RSA k ey is displayed , the first fiel d indica tes the s ize of the ho st key (e.g., 10 24), the sec ond field is the e ncoded public expo nent (e.g., 35), and the last string is the e ncoded modu lus. Wh en a D SA key is displ ayed, the first fi eld in dica tes t hat th e encr ypti on met hod us ed b[...]

  • Page 254

    Command Line I nterface 4-42 4 logging on This comm and cont rols loggin g of error m essages, sending debug or erro r message s to switch memory . The no form dis able s the l oggi ng pr ocess . Syntax [ no ] logging on Default Sett ing None Command Mode Global Co nfigurati on Command Usage The logging process co ntrols er ror messag es save d to [...]

  • Page 255

    System Management Commands 4-43 4 • level - One of the l evels listed below. Mes sages sen t include t he selec ted level dow n to level 0 . (Range: 0- 7) Default Sett ing Flash: error s (level 3 - 0) RAM: w arnings (level 7 - 0) Command Mode Global Co nfigurati on Command Usage The messa ge leve l sp ecifi ed f or flas h memo ry mu st b e a high[...]

  • Page 256

    Command Line I nterface 4-44 4 Command Usage • By usin g th is c ommand more tha n onc e yo u can buil d up a li st of hos t I P address es. • The maxi mum num ber of hos t IP address es allowed i s five. Example logging fac ility This comm and sets the f acility typ e for remo te loggin g of sysl og mess ages. Use the no form to re turn the ty[...]

  • Page 257

    System Management Commands 4-45 4 Default Sett ing • Disabled • Level 7 - 0 Command Mode Global Co nfigurati on Command Usage • Using th is comma nd with a sp ecified leve l enables r emote log ging and se ts the minim um sever ity level t o be saved. • Using th is comma nd withou t a specified level also enab les rem ote logging, but resto[...]

  • Page 258

    Command Line I nterface 4-46 4 show log ging This comm and disp lays the con figurat ion settings for loggin g messag es to local switch memory , to an SMTP event handler , or to a rem ote syslog server . Syntax sh ow logg ing { flash | ram | sendmail | tr ap } • flas h - Displays settings for storing ev ent messages in flash memory (i.e., perma [...]

  • Page 259

    System Management Commands 4-47 4 The follow ing exam ple displays settings for the trap fu nction. Related Commands show logg ing sendm ail (4-51) show log This comm and disp lays the lo g messag es stored in local memo ry . Syntax show log { flash | ra m } • flas h - Event hist ory store d in flash mem ory (i.e., per manen t memory ). • ram -[...]

  • Page 260

    Command Line I nterface 4-48 4 Example The follow ing exam ple shows the event m essage st ored in RAM . SMTP Alert Commands These com mands configure S MTP event han dling, an d forwardi ng of alert messag es to the spec ified SM TP servers and email rec ipients. logging se ndmail h ost This co mmand sp ecifies SMTP se rvers tha t will b e sent a [...]

  • Page 261

    System Management Commands 4-49 4 • To op en a con nection , the swi tch first selec ts the se rver that succe ssfully sent mail du ring the las t conne ction, or the first server configur ed by th is comm and. If it fai ls to send mail, the switch selects the next server in the lis t and tries to send mail again. I f it still f ails, the system [...]

  • Page 262

    Command Line I nterface 4-50 4 Command Mode Global Co nfigurati on Command Usage Y ou may use an symb olic email add ress that identifies t he switch , or the address of an admi nistrator respo nsible f or th e switch. Example logging se ndmail d estination-em ail This comm and sp ecifies the email recip ients of alert me ssages. Use the no form to[...]

  • Page 263

    System Management Commands 4-51 4 Example show log ging sendma il This c ommand displays the settings for th e SMTP event handle r . Command Mode Normal Exec, Privileged Exec Example Time Commands The syste m clock can be dynami cally set by p olling a set of specifie d time server s (NTP or SNTP ). Mai nt ain ing an a ccura te t ime on t he s witc[...]

  • Page 264

    Command Line I nterface 4-52 4 sntp clien t This comm and enable s SNTP client requests for time syn chronizati on from NTP or SNTP time se rvers sp ecified with the sntp se rvers co mmand. Us e the no fo rm to disable SNTP c lient req uests. Syntax [ no ] sn tp clien t Default Sett ing Disabled Command Mode Global Co nfigurati on Command Usage •[...]

  • Page 265

    System Management Commands 4-53 4 Default Sett ing None Command Mode Global Co nfigurati on Command Usage This command specifies time servers fr om which the s witch will poll for time updates when set to SNTP client mode. The client will pol l the time servers in the ord er spec ified unti l a respo nse is r eceive d. It issu es time synch ronizat[...]

  • Page 266

    Command Line I nterface 4-54 4 show sn tp This comm and disp lays the cur rent time a nd configur ation set tings for the S NTP client, and indicates whether or not the local time has bee n proper ly updated. Command Mode Normal Exec, Priv ileged Exec Command Usage This c omman d displa ys the curre nt time, the poll inte rval used for sending time[...]

  • Page 267

    System Management Commands 4-55 4 Related Commands show sn tp (4-54 ) cale nda r set This comm and se ts the system cl ock. It may be used if ther e is no time ser ver on your net work, or if you have not co nfigur ed the s witch to receive si gnals from a time serv er . Syntax calenda r set hour m in sec { da y mo nth ye ar | m onth da y yea r } ?[...]

  • Page 268

    Command Line I nterface 4-56 4 System Status Commands show sta rtup-config This command dis plays the configur ation file sto red in non-volati le memory that is used to start up the system . Default Sett ing None Command Mode Privileged Exec Command Usage • Use this comm and in conj unction w ith the show r unning-config command to compar e the [...]

  • Page 269

    System Management Commands 4-57 4 Example Related Commands show runni ng-con fig (4- 58) Console#show startup-config !<stackingDB>00</stackingDB> !<stackingMac>01_00-0c-db-21-11-33_00</st ackingMac> ! phymap 00-0c-db-21-11-33 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 ! snmp-server community public ro snmp-server community privat[...]

  • Page 270

    Command Line I nterface 4-58 4 show runn ing-config This comm and disp lays the con figurat ion informa tion curr ently in use. Default Sett ing None Command Mode Privileged Exec Command Usage • Use this comma nd in conj unc tion w ith t he show startup-conf ig comm and t o compar e the inform ation in runn ing memo ry to the infor mation stored [...]

  • Page 271

    System Management Commands 4-59 4 Example Related Commands show startu p-config (4-56) Console#show running-config building running-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-0c-db-21-11-33_00</st ackingMac> ! phymap 00-0c-db-21-11-33 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 ! snmp-server community [...]

  • Page 272

    Command Line I nterface 4-60 4 show sy stem This command displays system information. Default Sett ing None Command Mode Normal Exec, Priv ileged Exec Command Usage • For a descr iption of th e items sh own by this com mand, refer to “D isplay ing System In formatio n” on page 3-9. • The POST re sult s sh ould all disp lay “PASS.” If an[...]

  • Page 273

    System Management Commands 4-61 4 show us ers Shows all act ive cons ole an d T elnet s ession s, includi ng use r nam e, idle time, a nd IP address of T el net client. Default Sett ing None Command Mode Normal Exec, Privileged Exec Command Usage The sess ion use d to ex ecute t his co mmand i s indica ted by a “*” symbol n ext to the Line (i.e[...]

  • Page 274

    Command Line I nterface 4-62 4 Example Frame Size Commands jumbo frame This comm and enabl es suppo rt for jumbo frames. Us e the no form to di sabl e it. Syntax [ no ] jumbo frame Default Sett ing Disabled Command Mode Global Co nfigurati on Command Usage • This swi tch provid es more effi cient throug hput for large seque ntial data transfer s [...]

  • Page 275

    Flash/File Commands 4-63 4 Example Flash/File Commands These c omman ds a re use d to ma nage the s ystem c ode o r conf iguration files. copy This comm and mov es (uplo ad/downloa d) a code i mage or co nfigurati on file between t he switch’s flash m emory and a TFTP serv er . When you sa ve the sys tem code or con figuratio n setting s to a fil[...]

  • Page 276

    Command Line I nterface 4-64 4 Command Mode Privileged Exec Command Usage • The sy stem prompts fo r data req uired to comp lete the copy c ommand. • The de stination fi le name s hould no t conta in slashe s ( or /), th e leadi ng letter of the file na me should no t be a period (.), and the maximum l ength for f ile names on the TFTP serv er[...]

  • Page 277

    Flash/File Commands 4-65 4 The follow ing exampl e shows how to downl oad a conf iguration f ile: This examp le shows ho w to cop y a secure-si te certifica te from an T FTP server . It then r eboots the switc h to activate the c ertificate : This examp le shows ho w to copy a pub lic-key used by SSH from an TFTP serv er . Note that pu blic key aut[...]

  • Page 278

    Command Line I nterface 4-66 4 Command Usage • If the file type i s used for sys tem startup, th en this file cannot be dele ted. • “Facto ry_Defau lt_Con fig.cfg” ca nnot be delet ed. Example This exa mple sho ws how t o delete the tes t2.cfg co nfigurati on file fro m flash m emory . Related Commands dir (4- 66) delete p ublic-ke y (4-3 7[...]

  • Page 279

    Flash/File Commands 4-67 4 Example The follow ing exam ple shows how to disp lay all file inform ation: whichboo t This c ommand displ ays w hich file s were booted when the s ystem powere d up. Default Sett ing None Command Mode Privileged Exec Example This examp le show s the inform ation displ ayed by the whichboot command. Se e the table un der[...]

  • Page 280

    Command Line I nterface 4-68 4 Command Mode Global Co nfigurati on Command Usage • A colon (:) is required af ter the spec ified unit num ber and file t ype. • If the file cont ains an err or, it cannot be set as the def ault file. Example Related Commands dir (4- 66) whi chboo t (4- 67) Authentication Commands Y ou can co nfigure t his switch [...]

  • Page 281

    Authentication Co mmands 4-69 4 Authenticat ion Sequence authentica tion login This co mmand d efines the login authent ication method a nd prec edenc e. Use the no form to rest ore the d efault. Syntax authenti cation login {[ local ] [ radius ] [ tacacs ]} no authenticat ion login • loc al - Use local password. • radius - Use RADIUS server pa[...]

  • Page 282

    Command Line I nterface 4-70 4 authentica tion enable This comm and define s the aut henticat ion metho d and prece dence to us e when changin g from Exec com mand mod e to Privileg ed Exec comm and mod e with the enable co mmand (see page 4-19). U se the no form to resto re the defau lt. Syntax aut henti cat ion enabl e {[ loca l ] [ radius ] [ ta[...]

  • Page 283

    Authentication Co mmands 4-71 4 RADIUS Client Remote Authenticat ion Dial-in User Service (RADIUS ) is a logon authe ntication protoc ol that uses softw are runn ing on a centr al server to co ntrol acce ss to RADIUS- aware dev ices on th e network. An authenti cation server contains a database of m ultiple user name/ password pairs w ith associat [...]

  • Page 284

    Command Line I nterface 4-72 4 Example radius- server por t This comm and sets the RADIU S server net work por t. Use the no form to re stor e the default. Syntax radius-server po rt port _number no radius-server port port_number - RADIUS server UDP por t used for authen tication messages. (Range : 1-65535) Default Sett ing 1812 Command Mode Global[...]

  • Page 285

    Authentication Co mmands 4-73 4 radius- server r etransmi t This c ommand sets th e numb er of retries. Use the no form to restore the defa ult. Syntax radi us-s erver re trans mit num ber _of_ retr ies no radius-server retransmit number_of_retries - Numbe r of times the switch will try to authenticate logon access via t he RADIUS server. (Range: 1[...]

  • Page 286

    Command Line I nterface 4-74 4 Example TACACS+ Client T ermina l Access Controller Acces s Control System (T ACA CS+) is a logon authenti cation pro tocol tha t uses software ru nning on a ce ntral ser ver to control access t o T ACAC S-aw are device s on the net work. An au thentica tion serve r contains a d atabase o f multipl e user name/passw o[...]

  • Page 287

    Authentication Co mmands 4-75 4 Example tacacs-se rver por t This command specifies the T ACACS+ server network port. Use the no form to restore t he default . Syntax t aca cs-serv er port port _numb er no tacacs-serv er port port_number - T ACACS+ server TCP port use d for authentication messages. (Range : 1-65535) Default Sett ing 49 Command Mode[...]

  • Page 288

    Command Line I nterface 4-76 4 show taca cs-s erve r This comm and disp lays the cur rent sett ings for the T ACACS+ se rver . Default Sett ing None Command Mode Privileged Exec Example Port Security Commands These com mands can be used to enable po rt securi ty on a port. Wh en using po rt securi ty , the switch stops learn ing new M AC ad dresses[...]

  • Page 289

    Authentication Co mmands 4-77 4 port se curity This comm and enabl es or confi gures port security . Use the no for m wit hout any keywords to d isable port securit y . Us e the no form wit h the ap prop riat e keywo rd t o restore th e default settings fo r a respons e to secur ity violat ion or for the maximum number of allowed a ddresses . Synta[...]

  • Page 290

    Command Line I nterface 4-78 4 Example The follow ing exam ple enable s port secur ity for port 5, and sets the respo nse to a security violation t o issue a trap message : Related Commands shutdown (4 -129) mac-a ddress-table stati c (4-147) show mac -addres s-table (4-148 ) 802.1X Port Authenti cation The switch su pports IEEE 802.1 X (dot1x) por[...]

  • Page 291

    Authentication Co mmands 4-79 4 dot1x system -auth-contro l This comm and enable s IEEE 802. 1X port authe ntication globally on the sw itch. Use the no form to rest ore the def ault. Syntax [ no ] dot1x syst em-auth-con trol Default Sett ing Command Mode Global Co nfigurati on Example dot1x default This c ommand sets al l confi gurable d ot1x g lo[...]

  • Page 292

    Command Line I nterface 4-80 4 dot1x port-control This comm and sets the dot 1x mode on a port interfac e. Use the no f orm to resto re the defaul t. Syntax dot1x p ort-control { auto | force-au thorize d | force -u nau thori zed } no dot1x port-con trol • auto – Requi res a dot 1x-awar e connect ed client to be authorize d by the RADIUS server[...]

  • Page 293

    Authentication Co mmands 4-81 4 Command Usage • The “max -count” pa rameter specified by this comma nd is only effective if the dot1x m ode is set to “au to” by the dot 1x port-c ontrol comm and (pag e 4-105) . • In “multi -host” mo de, only one host conne cted to a port needs to pass authenti cation fo r all other hos ts to be gran[...]

  • Page 294

    Command Line I nterface 4-82 4 dot1x timeout quiet- period This command set s the t ime that a s witch port wai ts af ter the Max Request Count has been ex ceede d before a ttempting to acquire a new client. U se the no form to reset the de fault. Syntax dot1x ti meout quiet -period second s no dot1x timeou t quiet-period secon ds - The number of s[...]

  • Page 295

    Authentication Co mmands 4-83 4 dot1x timeout tx-perio d This comm and sets the time tha t an interfac e on the swi tch waits du ring an authenti cation ses sion before re -transm itting an EAP pa cket. Use the no form to reset to th e default val ue. Syntax dot1x ti meout tx-p eriod seconds no do t1x tim eou t tx-p erio d secon ds - The number of [...]

  • Page 296

    Command Line I nterface 4-84 4 • 802.1X Port Detai ls – Displays the por t access con trol parame ters for each interface, includi ng the followi ng items : - rea uth- enabl ed – Pe riodi c re-a uthe nti cat ion (pag e 4-81) . - reau th-perio d – Time aft er which a conn ected cl ient must be re-authe nticated (page 4-82 ). - qui et-p eri o[...]

  • Page 297

    Authentication Co mmands 4-85 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized 1/1 disabled Single-Host ForceAuthorized n/a 1/2 disabled Single-Host ForceAuthorized n/a . . . 1/7 disabled Single-Host ForceAuthorized yes 1/8 enabled Single-Host Auto [...]

  • Page 298

    Command Line I nterface 4-86 4 Access Control List Com mands Access C ontrol Lists (ACL) provide packet filte ring for I P frames (based on ad dress, protocol , Layer 4 protoc ol port num ber or TCP c ontrol cod e) or any frame s (based on MAC address or Et hernet type ). To filter pac kets, first crea te an acces s list, add the re quired r ules, [...]

  • Page 299

    Access Contr ol List Commands 4-87 4 The order in which active AC Ls are che cked is as follow s: 1. User-defined r ules in the Egress MAC ACL f or egress port s. 2. User- defined ru les in the Egre ss IP ACL f or egress po rts. 3. Use r-defined ru les in the Ingr ess MAC AC L for ingres s ports. 4. Us er-d efi ned r ule s in the Ingr ess I P ACL f[...]

  • Page 300

    Command Line I nterface 4-88 4 access-l ist ip This co mmand adds an IP acce ss list and en ters con figuratio n mode for standar d or extende d IP ACLs . Use the no form to remove the specified ACL. Syntax [ no ] access-list ip { stan dar d | exte nded } acl_na me • standar d – Specifies an AC L that filte rs packets ba sed on the source IP ad[...]

  • Page 301

    Access Contr ol List Commands 4-89 4 access-l ist ip ex tended fragme nt-auto-ma sk This comm and auto maticall y creates ex tra masks to support fra gmente d ACL entries. Use the no f orm t o disable thi s feature. Syntax [ no ] access-list i p exte nded fragment-aut o-mask Default Sett ing Disabled Command Mode Global Co nfigurati on Command Usag[...]

  • Page 302

    Command Line I nterface 4-90 4 Example This examp le config ures one pe rmit rule for the specif ic address 10 .1.1.21 an d another rule for the ad dress ran ge 168.9 2.16.x – 168. 92.31.x us ing a bitmas k. Related Commands access-l ist ip (4-88) permit , deny (Extended ACL) This comm and adds a r ule to an Extende d IP ACL. The rul e sets a fil[...]

  • Page 303

    Access Contr ol List Commands 4-91 4 Default Sett ing None Command Mode Extende d ACL Command Usage • All new rule s are appen ded to the end of the list. • Address bitmask s are simi lar to a s ubnet mask , conta ining fou r integers f rom 0 to 25 5, each separa ted by a peri od. The binary m ask use s 1 b its to in dicate “match” and 0 bi[...]

  • Page 304

    Command Line I nterface 4-92 4 This perm its all TCP packets from cla ss C addres ses 192.1 68.1.0 with t he TCP control code set to “SYN.” Related Commands access-l ist ip (4-88) show ip access-list This comm and disp lays the ru les for configur ed IP ACL s. Syntax show ip acce ss-list { standard | exte nded } [ acl_ name ] • standar d – [...]

  • Page 305

    Access Contr ol List Commands 4-93 4 Command Usage • A mask can only be use d by all ingres s ACLs or all eg ress ACLs. • The prece dence of the ACL rules ap plied to a pac ket is not de termin ed by order of th e rules, but in stead by the order of the masks; i.e., the first mas k that mat ches a rule wi ll determine the rule tha t is applied [...]

  • Page 306

    Command Line I nterface 4-94 4 Command Mode IP M as k Command Usage • Packe ts crossing a po rt are check ed agains t all the rules i n the ACL unti l a match is found. The order in w hich the se pack ets are ch ecked is determi ned by the mask , and not the or der in whic h the ACL rules were enter ed. • First crea te the requir ed ACLs and in[...]

  • Page 307

    Access Contr ol List Commands 4-95 4 This s hows how to create a standar d ACL with an in gress ma sk to deny access to the IP hos t 171.69.1 98.102, and permit ac cess to an y others. This show s how to crea te an extend ed ACL w ith an egres s mask to dro p packets leaving ne twork 171 .69.19 8.0 when the La yer 4 so urce port is 23. Console(conf[...]

  • Page 308

    Command Line I nterface 4-96 4 This is a mo re compreh ensive exam ple. It deni es any TCP packe ts in which the SYN bit is ON , and permi ts all other packets. It then sets the ingress m ask to ch eck the deny rul e first, and finally binds po rt 1 to this ACL. Note that onc e the ACL is bound to a n interface (i. e., the AC L is active), th e ord[...]

  • Page 309

    Access Contr ol List Commands 4-97 4 Related Commands mas k (IP A CL ) (4-9 3) ip acces s-group This comm and bind s a port to an IP ACL. Use the no f orm to remove t he port. Syntax [ no ] ip access-group acl_na me { in | out } • acl_name – Name o f the ACL. (Max imum lengt h: 16 charac ters) • in – Indi cates that th is list applies to in[...]

  • Page 310

    Command Line I nterface 4-98 4 map acce ss-list ip This comm and sets the out put queu e for packets match ing an ACL ru le. The specifie d CoS value is only used t o map the ma tching packet to an output queue; it is not writt en to the packet itself. Use the no form to remove the CoS mapping . Syntax [ no ] map access -list ip acl_na me cos cos-v[...]

  • Page 311

    Access Contr ol List Commands 4-99 4 Command Mode Privileged Exec Example Related Commands map a ccess -list ip ( 4-98) match ac cess-list ip This comm and chang es the IEE E 802.1p pr iority , IP Prec edenc e, or DSCP Prior ity of a frame matching the defined AC L rule. (This feature is com monly re ferred to as ACL pack et mar king.) U se the no [...]

  • Page 312

    Command Line I nterface 4-100 4 Example Related Commands sho w m ark ing (4 -100 ) show ma rking This comm and disp lays the cur rent con figuratio n for packet mar king. Command Mode Privileged Exec Example Related Commands match access-lis t ip (4-99) MAC ACLs Console(config)#interface ethernet 1/12 Console(config-if)#match access-list ip b ill s[...]

  • Page 313

    Access Contr ol List Commands 4-101 4 access-l ist mac This comm and adds a MAC acce ss list and enters MAC AC L configu ration m ode. Use t he no form to rem ove the sp ecified ACL . Syntax [ no ] access-list mac acl_nam e acl_name – Name of the ACL. (Maximum length: 16 characters) Default Sett ing None Command Mode Global Co nfigurati on Comman[...]

  • Page 314

    Command Line I nterface 4-102 4 permit , deny (MAC ACL) This comm and adds a rule to a MAC ACL . The rule filte rs packets matching a specifie d MAC so urce or de stination a ddress (i. e., physi cal layer ad dress), or Ethernet p rotocol type . Use the no form to remove a ru le. Syntax [ no ] { perm it | deny } { any | host source | source addre s[...]

  • Page 315

    Access Contr ol List Commands 4-103 4 Command Mode MAC ACL Command Usage • New rules are added t o the end of th e list. •T h e ethe rty pe option can only be used to filter Ethern et II formatted pac kets. • A detaile d listing o f Ethernet pr otocol type s can b e found in RFC 1060 . A few of the mor e comm on types inclu de the foll owing:[...]

  • Page 316

    Command Line I nterface 4-104 4 access-l ist mac mask-preced ence This comm and ch anges to MAC Mask m ode used t o configur e access co ntrol mask s. Us e th e no form to dele te the mask table. Syntax [ no ] access-list ip m ask-pre cedenc e { in | out } • in – Ingr ess ma sk for ingres s ACLs. • out – Egress m ask for egre ss ACLs. Defau[...]

  • Page 317

    Access Contr ol List Commands 4-105 4 • vid-bitm ask – VLAN ID of rule must match this bitmask. • ethertype – Ch eck th e Ethe rnet typ e field. • ethertyp e-bitma sk – Etherne t type of ru le must match t his bit mask. Default Sett ing None Command Mode MAC Mask Command Usage • Up to seven mask s can be assign ed to an ingress or eg [...]

  • Page 318

    Command Line I nterface 4-106 4 This examp le creates an Egress M AC ACL. show ac cess-list m ac mask-pr ecedence This comma nd shows the ingres s or egress rule mask s for MAC ACLs. Syntax show a ccess -list ma c mask -pre cedence [ in | out ] • in – Ingr ess ma sk pre ceden ce for i ngress ACLs . • out – Egress m ask prece dence fo r egre[...]

  • Page 319

    Access Contr ol List Commands 4-107 4 mac access -group This comm and bind s a port to a MAC ACL. Use the no form to r emove the port. Syntax mac a ccess-group acl_ name { in | out } • acl_name – Name o f the ACL. (Max imum lengt h: 16 charac ters) • in – Indi cates that th is list applies to ingr ess pac kets. • out – Indica tes that t[...]

  • Page 320

    Command Line I nterface 4-108 4 map acce ss-list mac This comm and sets the out put queu e for packets match ing an ACL ru le. The specifie d CoS value is only used t o map the ma tching packet to an output queue; it is not writt en to the packet itself. Use the no form to remove the CoS mapping . Syntax [ no ] map access -list ma c ac l_name cos c[...]

  • Page 321

    Access Contr ol List Commands 4-109 4 Command Mode Privileged Exec Example Related Commands map access -list mac (4-1 08) match ac cess-list ma c This comm and chang es the IEE E 802.1p pr iority of a La yer 2 frame matching the defined AC L rule. (Thi s feature is co mmonly r eferred to as AC L packet marki ng.) Use t he no form to r emove the ACL[...]

  • Page 322

    Command Line I nterface 4-110 4 ACL Information show ac cess-list This co mmand s hows a ll ACLs and ass ociate d rules, as wel l as all t he user -defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to a n interface (i.e ., the ACL is active), the order in which th e rules are disp layed is determined by the assoc iated[...]

  • Page 323

    SNMP Commands 4-111 4 SNMP Command s Controls a ccess to th is switch fr om management st ations usin g the Simple Ne twork Manage ment Prot ocol (SNMP ), as well as t he error types sent to trap managers. SNMP V ersion 3 al so provid es secu rity features that cove r message i ntegrity , authenti cation, an d encrypti on; as well as controllin g u[...]

  • Page 324

    Command Line I nterface 4-112 4 Example show sn mp This comm and ca n be used to check the statu s of SNMP co mmunica tions. Default Sett ing None Command Mode Normal Exec, Priv ileged Exec Command Usage This comm and prov ides info rmation on the comm unity acc ess strin gs, count er inf orma tion for SNM P inpu t an d o utput pr otoc ol d ata uni[...]

  • Page 325

    SNMP Commands 4-113 4 snmp- server com munity This comm and define s the SNMP v1 and v2c communi ty acces s string. Us e the no form to rem ove the sp ecified co mmun ity string. Syntax snmp-s erver comm unity str ing [ ro | rw ] no snmp-s erver com munity strin g • strin g - Commu nity strin g that acts lik e a passw ord and perm its access to t[...]

  • Page 326

    Command Line I nterface 4-114 4 Related Commands snmp -serve r locat ion (4 -1 1 4) snmp- server loc ation This comm and se ts the system loca tion string . Use the no form to remove the location string . Syntax snmp-s erver locati on text no snmp-s erver lo cation text - St ring that describes the system location. (Maximum length : 255 character s[...]

  • Page 327

    SNMP Commands 4-115 4 to us ing the snmp-s erver h ost command. (Maximu m length: 32 charac ters) • version - Specifies whether to s end notif ications as SNMP Vers ion 1, 2c or 3 tr aps . (R ange: 1, 2 c, 3; Def ault : 1 ) - auth | noaut h | priv - This group u ses SNM Pv3 with a uthentic ation, no authenti cation, or with authe ntication and pr[...]

  • Page 328

    Command Line I nterface 4-116 4 To send an info rm to a SNMPv3 hos t, complete t hese steps: 1. En able the SNMP agen t (p age 4-1 1 1). 2. Allow th e switch to send SNM P traps; i.e., not ifications ( page 4-1 16 ). 3. Specify the target host that will receiv e inform mes sages with the snmp-s erver host comman d as d escr ibed in this sect ion. 4[...]

  • Page 329

    SNMP Commands 4-117 4 Command Usage • If you do not en ter an snm p-serve r enable t raps com mand, no notification s contro lled by thi s comman d are s ent. In o rder to con figure thi s devic e to send SNMP notifications, you must enter at least one snmp-s erve r enabl e traps comm and. If you en ter the com mand wi th no keywo rds, both au th[...]

  • Page 330

    Command Line I nterface 4-118 4 password s to generat e the secu rity keys for authent icating a nd encryp ting SNMPv3 packe ts. • A remote en gine ID is req uired when us ing SNMP v3 inform s. (See snmp-s erver ho st on pa ge 4 -114.) Th e remo te engi ne ID is used to comput e the secu rity digest for authe nticating and enc rypting p ackets s [...]

  • Page 331

    SNMP Commands 4-119 4 snmp- server vie w This command adds an SNMP view which controls user access to the MIB. Use the no for m to r emove a n SNM P view. Syntax snmp-s erver view view-na me oid-tree { included | excluded } no snmp-s erver vi ew view -name • view-name - Name of an SNMP view. ( Range: 1-64 c haracter s) • oid-tre e - O bje ct id[...]

  • Page 332

    Command Line I nterface 4-120 4 show sn mp view This comma nd shows informa tion on the SNMP views. Command Mode Privileged Exec Example snmp- server group This comm and adds a n SNMP grou p, mapp ing SNMP us ers to SNMP vi ews. Use the no form to remove a n SNMP group. Syntax snmp-s erver gro up groupna me { v1 | v2c | v3 { auth | noa uth | priv }[...]

  • Page 333

    SNMP Commands 4-121 4 Default Sett ing • Default gr oups: pu blic 27 (read on ly), pr iv ate 28 (read/w rite) • readvi ew - Every obj ect belonging to the Inte rnet OID space (1 .3.6.1). • writevie w - Nothing is defined. • notifyvie w - Nothi ng is de fine d. Command Mode Global Co nfigurati on Command Usage • A group set s the acce ss p[...]

  • Page 334

    Command Line I nterface 4-122 4 snmp- server use r Thi s com mand a dds a use r t o an S NMP gr oup , res tri ctin g th e us er to a spe cif ic SNMP Re ad, Write, or No tify View . Use the no f orm to re move a us er from an SNMP group. Syntax snmp-s erver use r username groupn ame [ remot e ip-addr ess ] { v1 | v2c | v3 [ encr ypted ] [ auth { md5[...]

  • Page 335

    SNMP Commands 4-123 4 • ip-a ddre ss - The I nterne t address of the remote dev ice. • v1 | v2c | v3 - Use SNMP ve rsion 1, 2c o r 3. • encr ypte d - Accepts the pa sswor d as encryp ted input. • auth - Uses SNMP v3 w ith auth enticat ion. • md5 | sha - Use s MD5 or SHA authen ti cati on. • auth-p assword - Authenticat ion passw ord. En[...]

  • Page 336

    Command Line I nterface 4-124 4 show sn mp user This comma nd shows informatio n on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e[...]

  • Page 337

    Interface Co mmands 4-125 4 Interface Commands Thes e comma nds ar e used t o disp lay or set comm unic atio n par amet ers for an Ethernet p ort, aggregate d link, or VLAN. interface This comm and conf igures an interfac e type and en ter interface configura tion mode . Use t he no form to r emove a trunk. Syntax inte rfac e in terf ac e no interf[...]

  • Page 338

    Command Line I nterface 4-126 4 Command Mode Global Co nfigurati on Example T o specify port 4, en ter the foll owing com mand: descri ption This comm and adds a desc ription to an interface. U se the no f orm to remov e the descri ption. Syntax description string no description string - Comment or a description to help you remember what is attache[...]

  • Page 339

    Interface Co mmands 4-127 4 Default Sett ing • Auto-ne gotiation is enabled by default. • When aut o-negoti ation is disa bled, the default spe ed-duplex setting is: - Fas t Ethernet port – 100ful l ( 100 Mbps full -d uple x) - 10 Gigabit Ether net port s – 10 000full ( 10 Gb ps f ull- dupl ex) Command Mode Interface C onfigur ation (Ether [...]

  • Page 340

    Command Line I nterface 4-128 4 disabled , you m ust man ually s pecify the link a ttributes with the speed -duplex and flowcont rol comman ds. • If aut onegotiation is d isabled, auto-MDI/MDI- X pin signal configuration will also be disa bled for th e RJ-45 por ts. Example The fo llowing example confi gures p ort 9 t o use autone gotiation. Rela[...]

  • Page 341

    Interface Co mmands 4-129 4 Related Commands negotiat ion (4-127 ) speed-d uplex (4 -126) shutdown This comm and disa bles an inter face. T o restart a disabl ed interfac e, use the no form . Syntax [ no ] shut down Default Sett ing All interface s are enabled . Command Mode Interface C onfigur ation (Ether net Ports 1-8, Por t Channel ) Command Us[...]

  • Page 342

    Command Line I nterface 4-130 4 Example The fol lowi ng sho ws ho w t o conf ig ure br oadc ast stor m con trol at 600 p ac ket s pe r secon d: clear coun ters This comm and clea rs statistics on a n interface. Syntax clear cou nters inte rfac e interfa ce • etherne t unit / port - unit - This is unit 1. - port - Port num ber. (Rang e: 1-8) • p[...]

  • Page 343

    Interface Co mmands 4-131 4 Default Sett ing Shows the sta tus for all inte rfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no i nterface is spec ified, informat ion on a ll int erfaces is display ed. For a descript ion of the item s display ed by this com mand, se e “Displ aying Conn ecti on S tat us” on p age 3-85. Example [...]

  • Page 344

    Command Line I nterface 4-132 4 Command Mode Normal Exec, Priv ileged Exec Command Usage If no i nterface is spec ified, informat ion on a ll int erfaces is display ed. For a descript ion of the item s display ed by this com mand, se e “Showi ng Port S tatistics” on page 3-105 . Example show inte rfaces s witchport This comm and disp lays the a[...]

  • Page 345

    Interface Co mmands 4-133 4 Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed . Example This examp le show s the configu ration set ting for port 4. Console#show interfaces switchport ethern et 1/4 Broadcast Threshold: Enabled, 1042 packets/second LACP Status: Disabled I[...]

  • Page 346

    Command Line I nterface 4-134 4 Mirror Port Commands This secti on descr ibes how to mirror traffic from a so urce por t to a target port. port monitor This c omman d conf igures a mirro r sess ion. U se the no form to clear a mirror session . Syntax port mo nitor interfa ce [ rx | tx | both ] no port monitor in te rfac e • int er face - ethe rne[...]

  • Page 347

    Mirror Por t Commands 4-135 4 Example The follow ing exam ple configur es the swi tch to mirror all packets from port 6 to 8: show port monitor This c ommand displ ays mir ror infor mation. Syntax sh ow port mon itor [ in terf ac e ] inte rface - ethernet unit / port (source port) • unit - This is unit 1. • port - Port num ber. (Rang e: 1-8) De[...]

  • Page 348

    Command Line I nterface 4-136 4 Rate Limit Commands This funct ion allows the netwo rk manager to control th e maximum rate for traffic transmi tted or recei ved on an in terface. R ate limiting i s configur ed on interfa ces at the edge of a network to limit tr affic in to or out of the network. T raff ic that falls within the rate lim it is trans[...]

  • Page 349

    Link Aggregati on Commands 4-137 4 Link Aggregation Comma nds Ports can be statica lly groupe d into an aggr egate link (i. e., trunk) t o increase t he bandwidth of a network co nnecti on or to ensur e fault recove ry . Or you can use the Link Aggr egation Con trol Protoc ol (LACP) to automatical ly negotiat e a trunk link between this s witch and[...]

  • Page 350

    Command Line I nterface 4-138 4 Dynami cally Crea ting a Port Ch annel – Ports assi gned to a co mmon po rt channel must meet the followi ng criteria : • Ports mu st have the same LACP system priori ty. • Ports must have the same port admi n key (Ethernet Interface). • If the p ort chann el adm in key (lacp ad min key - Po rt Channel ) is n[...]

  • Page 351

    Link Aggregati on Commands 4-139 4 lacp Thi s com mand enab les 8 02. 3ad Link Aggr egat io n Con trol Prot ocol (L ACP) for the cur ren t int erf ace. Use t he no form to disable it. Syntax [ no ] la cp Default Sett ing Disabled Command Mode Interface C onfigur ation (Ether net Ports 1-8) Command Usage • The port s on both end s of an LACP trunk[...]

  • Page 352

    Command Line I nterface 4-140 4 lacp system- priority This c ommand config ures a port's LACP s ystem p riority . Use th e no form to resto re the defaul t setting. Syntax lacp { actor | pa r tn e r } syst em-pri ority prio rit y no lacp { actor | pa r t n e r } system- priority • actor - Th e local side an ag gregat e link. • partner - Th[...]

  • Page 353

    Link Aggregati on Commands 4-141 4 lacp admin-ke y (Ethernet I nterface) This c ommand config ures a port's LACP admin istration key . Use t he no form to restore t he default setting. Syntax lacp { actor | pa r tn e r } adm in-key key [ no ] lacp { ac tor | pa r t ne r } admin-key • actor - Th e local side an ag gregat e link. • partner -[...]

  • Page 354

    Command Line I nterface 4-142 4 Default Sett ing 0 Command Mode Interface C onfigur ation (Por t Channel) Command Usage • Ports are on ly allowed to join the sam e LAG if (1) th e LACP syste m priorit y matches, ( 2) the LACP port a dmin key matche s, and (3) th e LACP port channel key matche s (if con figured). • If the po rt channel admin k e[...]

  • Page 355

    Link Aggregati on Commands 4-143 4 Example show la cp This c ommand displ ays LAC P infor mation. Syntax show la cp [ port-chan nel ] { counters | internal | neighbors | sys- id } • port-cha nnel - Local identi fier for a link ag gregatio n group. (Ran ge: 1-4) • counter s - Statistics for LACP protoc ol messag es. • inte rna l - Configu rati[...]

  • Page 356

    Command Line I nterface 4-144 4 Console#show lacp 1 internal Port channel: 1 ----------------------------------------- -------------------------------- Oper Key: 3 Admin Key: 0 Eth 1/ 2 ----------------------------------------- -------------------------------- LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key:[...]

  • Page 357

    Link Aggregati on Commands 4-145 4 Console#show lacp 1 neighbors Port channel 1 neighbors ----------------------------------------- -------------------------------- Eth 1/1 ----------------------------------------- -------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Par[...]

  • Page 358

    Command Line I nterface 4-146 4 Address Table Command s Thes e comma nds ar e used to conf igur e the ad dres s ta ble fo r fil teri ng spe cifi ed addr esse s, di spla yin g curr ent en tri es, cle arin g the t abl e, or setti ng th e agin g time . Console#show lacp sysid Port Channel System Priority System MAC Address ----------------------------[...]

  • Page 359

    Address T able Commands 4-147 4 mac-addr ess-table stati c This comm and maps a static ad dress to a dest ination por t in a VLAN. U se the no form to rem ove an addr ess. Syntax mac-ad dress-table s t atic mac -address i nterfac e inte rfa ce vlan vlan-i d [ ac tion ] no ma c-ad dress -t abl e st atic ma c-addr ess vlan vlan-i d • mac-a ddress -[...]

  • Page 360

    Command Line I nterface 4-148 4 clear mac -address- table dynami c This comm and rem oves any l earned en tries from th e forward ing database an d clears the transmi t and receiv e counts for any static or system c onfigured entries. Default Sett ing None Command Mode Privileged Exec Example show ma c-address-tab le This comm and show s classes o [...]

  • Page 361

    Address T able Commands 4-149 4 means t o match a bit an d “1” means to ignore a bi t. For exampl e, a mask of 00-00-0 0-00-00- 00 means an exact m atch, and a m ask of FF-FF-FF -FF-FF-FF m eans “any.” • The maxi mum nu mber of add ress ent ries is 8191. Example mac-addr ess-table agin g-time This comm and sets the agi ng time for entries[...]

  • Page 362

    Command Line I nterface 4-150 4 Spanning Tree Command s This secti on include s command s that con figure the Spanning T ree Algo rithm (ST A) globally fo r the switch , and comm ands tha t configure ST A for the sele cted inter face. T able 4-54 Spannin g T ree Com mands Comman d F unctio n Mode P age span nin g-tr ee Enable s th e spann ing t ree[...]

  • Page 363

    Spanning Tree Commands 4-151 4 span nin g-t ree Thi s com mand en able s the S panni ng T r ee Al gori thm gl obal ly f or t he sw itch. Use the no form to disab le it. Syntax [ no ] sp anning-tree Default Sett ing S panning tree is ena bled. Command Mode Global Co nfigurati on Command Usage The S panning Tree Algorithm (ST A) can be used to dete c[...]

  • Page 364

    Command Line I nterface 4-152 4 memb ers may be inadvertent ly disabl ed to preven t network loops, thu s isolating group memb ers. Wh en op erating m ultiple V LANs, we rec ommen d selecti ng the MST P option. • Rapid S panning Tree Protoco l RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol m essages and [...]

  • Page 365

    Spanning Tree Commands 4-153 4 Command Usage This command set s the maximum time (in seconds) the r oot device wil l wait before changing sta tes (i.e., di scarding to learni ng to forwa rding). This delay is required becaus e every dev ice must rece ive inform ation abo ut topolog y changes before it starts to forwar d frames . In additi on, eac h[...]

  • Page 366

    Command Line I nterface 4-154 4 Default Sett ing 20 seco nds Command Mode Global Co nfigurati on Command Usage This comm and sets the ma ximum t ime (in s econd s) a device can wa it witho ut receivin g a conf iguration m essage before attempt ing to r econfigur e. All de vice ports (except for design ated ports) sh ould recei ve configur ation me [...]

  • Page 367

    Spanning Tree Commands 4-155 4 spanning-tre e pathcost m ethod This comm and conf igures the path cost met hod used for Ra pid Sp anning T ree an d Multiple S panning Tree. U se the no form to restore the de fault. Syntax spanning-tree pathcost method { lo ng | short } no spanning-tree pathcost m ethod • lon g - Spec ifies 32-bi t based va lues t[...]

  • Page 368

    Command Line I nterface 4-156 4 spanning-tre e mst-configu ration This comm and chang es to Mult iple S panning Tree (MST) configu ration m ode. Default Sett ing • No VLANs ar e mappe d to any MST inst ance. • The regi on name is set the switch ’s MAC add ress. Command Mode Global Co nfigurati on Example Related Commands mst vlan (4-156 ) mst[...]

  • Page 369

    Spanning Tree Commands 4-157 4 and the sa me instan ce (on each bridge) with the same set of VLANs. Also , note that RS TP treats eac h MSTI regi on as a sing le node, con necting all regions to the Commo n Spanning Tree. Example mst priority This c ommand config ures the prio rity of a spannin g tree instance. U se t he no form to restor e the def[...]

  • Page 370

    Command Line I nterface 4-158 4 Default Sett ing Switch’s MAC ad dress Command Mode MST Conf iguration Command Usage The MST re gion name an d revision number (page 4- 158) are us ed to designa te a unique M ST regio n. A bridge (i.e ., spanning-tree comp liant device suc h as th is s witc h) ca n only bel ong to one MST reg ion. And a ll b ridg [...]

  • Page 371

    Spanning Tree Commands 4-159 4 max-hops This comm and conf igures the maximum numbe r of hops in the region before a BPDU is discarde d. U se the no form t o restore the de fault. Syntax max-h op s hop-numb er hop-number - M aximum hop number for multiple spanning tree. (Range: 1-40) Default Sett ing 20 Command Mode MST Conf iguration Command Usage[...]

  • Page 372

    Command Line I nterface 4-160 4 span nin g-t ree co st This comm and co nfigures the spanning tree path cost for the sp ecified int erface . Use t he no form to re store the d efault. Syntax spanning-tree cost co st no spanning-tree co st cost - T he path cost for the p ort. (Range: 0 for auto-configuration, or 1-200,000,000) The recommended r ange[...]

  • Page 373

    Spanning Tree Commands 4-161 4 spanning-tre e port-priority This c ommand config ures the prio rity for the s pecified i nterfac e. Use the no form to restore t he default . Syntax spanning-tree port-priority prio rity no spanning-tree port -priority priority - The priority for a por t. (Range: 0-240, in ste ps of 16) Default Sett ing 128 Command M[...]

  • Page 374

    Command Line I nterface 4-162 4 devices such as workstat ions or servers, re tains the curre nt forwa rding databas e to reduce the amo unt of fra me floodin g required to rebuil d addres s tables d uring reconfi guration events , does not cause t he spa nning tr ee to initiate reconfig uration w hen the interfac e change s stat e, and a lso overco[...]

  • Page 375

    Spanning Tree Commands 4-163 4 Related Commands spanning-tr ee edg e-port ( 4-161) spanning-tre e link-type This c ommand config ures the link t ype f or Rapi d Sp anning T ree a nd M ultiple S panning Tree. Use the no f orm t o restore the de fault. Syntax spanning-tree link -type { auto | point-to-po int | shared } no spanning-tree lin k-type •[...]

  • Page 376

    Command Line I nterface 4-164 4 The recom mende d range is - - Ether net: 200, 000-20,00 0,000 - Fas t Ethernet : 20,00 0-2,000,0 00 - Gigab it Ethern et: 2,000-20 0,000 - 10 Gi gabi t Ethe rne t: 20 0-20 ,00 0 Default Sett ing By default , the system au tomat ically det ects the speed an d duplex m ode use d on eac h port , and co nfi gur es the p[...]

  • Page 377

    Spanning Tree Commands 4-165 4 Command Mode Interface C onfigur ation (Ether net Ports 1-8, Por t Channel ) Command Usage • This comm and de fines the pri ority for the us e of an inter face in the mult iple spannin g-tree. If the p ath cos t for all interfaces on a sw itch ar e the sa me, the interface with the hig hest priority (that is, lo wes[...]

  • Page 378

    Command Line I nterface 4-166 4 show sp anning-tree This c ommand shows the c onfigura tion for the c ommon s panning t ree (C ST) or f or an instance withi n the multip le spanning tree (MST). Syntax show s panning-tree [ in terface | mst instance_id ] • int er face • etherne t unit / port - unit - This is unit 1. - port - Port num ber. (Rang [...]

  • Page 379

    Spanning Tree Commands 4-167 4 Example Console#show spanning-tree Spanning-tree information ----------------------------------------- ---------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: 0 Vlans configuration: 1-409 4 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay[...]

  • Page 380

    Command Line I nterface 4-168 4 show sp anning-tree ms t configuration This c ommand shows the c onfigura tion of the multiple spanning t ree. Command Mode Privileged Exec Example VLAN Commands A VLAN is a gro up of ports that ca n be located anywher e in the netwo rk, but comm unicate as t hough the y belong to the same ph ysical seg ment. Thi s s[...]

  • Page 381

    VLAN Commands 4-169 4 vlan databas e This comm and ente rs VLAN databa se mode. All c ommands i n this mode w ill take effect imm ediately . Default Sett ing None Command Mode Global Co nfigurati on Command Usage • Use the VLAN databa se com mand m ode t o add, change , and delete VL ANs. After finishi ng config uration ch anges, yo u can displa [...]

  • Page 382

    Command Line I nterface 4-170 4 Command Usage • no vlan v lan-id deletes the VL AN. • no vlan v lan-id name rem oves th e VLAN name . • no vlan v lan-id state re turns the VL AN to the defau lt state (i.e., act ive). • You can con figure up to 255 VLANs on the switch . Example The follow ing exam ple adds a VL AN, usin g VLAN ID 10 5 and na[...]

  • Page 383

    VLAN Commands 4-171 4 Example The follow ing exam ple shows how to set the i nterface configura tion mode to VLAN 1, and t hen assign an IP addres s to the VLAN : Related Commands shutdown (4 -129) switchpo rt mode This comm and conf igures the VLAN mem bership mo de for a port. Us e the no form to restor e the default. Syntax switchport mode { tru[...]

  • Page 384

    Command Line I nterface 4-172 4 switchpo rt accepta ble-frame-type s This co mmand configur es the acc eptable fra me types for a p ort. Use t he no form to restore t he default . Syntax switchpo rt acceptable-f rame-ty pes { all | tag g ed } no switchp ort acceptable-f rame-ty pes • all - The por t accepts all frames, tag ged or unta gged. • t[...]

  • Page 385

    VLAN Commands 4-173 4 • If ingress filtering i s enable d and a po rt receiv es frame s tagged for VLA Ns for whi ch i t is not a memb er, these fr ames wil l be disc arde d. • Ingress filt ering does no t affect VLAN in dependen t BPDU fram es, such as GVRP or STA. How ever, they do affe ct VLAN dep enden t BPDU fra mes, suc h as GMR P. Exampl[...]

  • Page 386

    Command Line I nterface 4-174 4 switchpo rt allowe d vlan This c ommand config ures V LAN grou ps on the se lected int erface. Use the no form to restor e the default. Syntax switchpo rt allow ed vlan { add vlan-list [ t agged | untagged ] | remo ve vlan -li st } no switchp ort allow ed vlan • add vlan-l ist - Lis t of VLA N ide nti fier s to add[...]

  • Page 387

    VLAN Commands 4-175 4 switchpo rt forbidden vlan This c ommand configur es forbi dden V LANs. Use th e no form to remove the list of forbidde n VLANs. Syntax switchport forbidden vlan { add vlan -list | remove vlan-li st } no switchp ort forbi dden vlan • add vlan-l ist - Lis t of VLA N ide nti fier s to add . • remo ve vlan-l ist - Lis t of VL[...]

  • Page 388

    Command Line I nterface 4-176 4 show vl an This comma nd shows VLAN informatio n. Syntax show v lan [ id vlan-id | name vlan-n ame ] • id - Key word to be follow ed by the VLAN ID. vlan-i d - ID of t he co nfig ured VLAN . (Ra nge: 1- 4094 , no l eadi ng ze roes ) • name - Keyw ord to be follow ed by the VLAN name. vlan-n ame - ASCI I s tri ng [...]

  • Page 389

    VLAN Commands 4-177 4 Configuring Pri vate VLANs Private VLA Ns provid e port-bas ed securit y and isolati on betwee n ports within th e assigne d VLAN . This section descri bes com mands used to conf igure p rivate V lANs. pvlan This comm and enab les or con figures a priva te VLAN . Use the no form to disa ble t he private VLAN . Syntax pvlan [ u[...]

  • Page 390

    Command Line I nterface 4-178 4 show pv lan This comm and displ ays the config ured private VL AN. Command Mode Privileged Exec Example Configuring Prot ocol-based VLANs The net work dev ices r equired t o suppor t multi ple proto cols c annot b e easily grouped into a common VLAN. This may require non-standard devices to pass traf fic between d if[...]

  • Page 391

    VLAN Commands 4-179 4 protocol-vla n protocol-group (Confi guring Gr oups) Thi s comman d crea tes a protoc ol gro up, or t o add spec if ic prot oco ls to a gr oup. Use the no for m to remo ve a proto col group. Syntax protocol-vlan protoco l-group group-i d [{ add | re move } frame -typ e fr ame protocol-type protoc ol ] no protocol-vlan protocol[...]

  • Page 392

    Command Line I nterface 4-180 4 Command Usage • When cre ating a pro tocol-based VLAN, only assign interfa ces via this comm and. If you assi gn interfac es using a ny of the othe r VLAN comma nds (such as vlan on page 4-169), the se interfaces will admit traff ic of any protoco l typ e into t he asso cia ted VL AN. • When a f rame ente rs a po[...]

  • Page 393

    GVRP and Bridge Extens ion Commands 4-181 4 show inte rfaces protoco l-vlan prot ocol-group This comm and show s the mapp ing from pr otocol groups t o VLANs f or the selecte d int er face s. Syntax show interface s protocol-vlan prot ocol-group [ interface ] inte rface • etherne t unit / port - unit - This is unit 1. - port - Port num ber. (Rang[...]

  • Page 394

    Command Line I nterface 4-182 4 bridge-ext g vrp This command enables GVRP g lobally for th e switch. Use the no form to disable i t. Syntax [ no ] bridg e-ex t gvr p Default Sett ing Disabled Command Mode Global Co nfigurati on Command Usage GVRP d efines a way fo r switches to exchang e VLAN infor mation in order to register VLAN m embers on port[...]

  • Page 395

    GVRP and Bridge Extens ion Commands 4-183 4 switchpo rt gvrp This comm and enabl es GVRP f or a port. Use the no form to dis able it. Syntax [ no ] s witchport gvrp Default Sett ing Disabled Command Mode Interface C onfigur ation (Ether net Ports 1-8, Por t Channel ) Example show gv rp configurat ion This c ommand shows if G VRP i s enabl ed. Synta[...]

  • Page 396

    Command Line I nterface 4-184 4 garp timer This comm and sets the val ues for the join, leave an d leavea ll timers. Use the no form to r estore the time rs’ defaul t values. Syntax garp t imer { join | leave | leaveal l } timer_ valu e no garp timer { join | leave | leavea ll } •{ join | leave | leavea ll } - Which timer to set. • time r_val[...]

  • Page 397

    Priority Co mmands 4-185 4 show ga rp timer This c ommand shows the G ARP timers for the se lected int erface. Syntax sh ow garp time r [ inte rface ] inte rface • etherne t unit / port - unit - This is unit 1. - port - Port num ber. (Rang e: 1-8) • port-chann el cha nnel-id (Rang e: 1-4) Default Sett ing Shows all GARP timers. Command Mode Nor[...]

  • Page 398

    Command Line I nterface 4-186 4 Priorit y Commands (Layer 2) queue mod e This comm and sets the que ue mo de to strict prior ity or Weighted Round-R obin (WR R) for the clas s of servi ce ( CoS) prio rit y queu es. U se t he no form to r es tore the default va lue. Syntax queue mod e { strict | wrr } no queue mode • strict - Se rvices the egress [...]

  • Page 399

    Priority Co mmands 4-187 4 Example The fo llowing example sets th e queue mode to strict p riority s ervice m ode: switchpo rt priority def ault This comm and sets a prio rity for incom ing untagged frames. Us e the no form to restore t he default value. Syntax switchport priority default de fault-prior ity-id no switchport priority default default[...]

  • Page 400

    Command Line I nterface 4-188 4 queue ban dwidth Thi s com mand a ssig ns we ight ed r ound -ro bin ( WRR) w eig ht s to the eigh t cla ss o f service (Co S) priori ty queues . Use the no for m to restore the defau lt weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 7 deter[...]

  • Page 401

    Priority Co mmands 4-189 4 Default Sett ing This switc h supports Clas s of Service by using eight prio rity queues, with Weighted Ro und Robin queuing for each port. Eight separate traffic class es are defi ned in IEEE 802.1p. The def ault prior ity level s are as signed acc ording to recomm endatio ns in the IEEE 80 2.1p standard as shown be low [...]

  • Page 402

    Command Line I nterface 4-190 4 show que ue bandwi dth This command dis plays the weighted r ound-robin (WRR) bandwid th allocati on for the eight p riority queu es. Default Sett ing None Command Mode Privileged Exec Example show que ue cos-map This co mmand sho ws the cl ass of se rvic e prio rity map . Syntax show q ueue cos-ma p [ interface ] in[...]

  • Page 403

    Priority Co mmands 4-191 4 Priorit y Commands (Layer 3 and 4) map ip port (Gl obal Co nfiguratio n) This co mmand en ables I P port m apping (i.e., class of service mappi ng for TC P/UDP socke ts). Use th e no form to disa ble IP port mapping. Syntax [ no ] m ap ip port Default Sett ing Disabled Command Mode Global Co nfigurati on Command Usage The[...]

  • Page 404

    Command Line I nterface 4-192 4 Default Sett ing None Command Mode Interface C onfigur ation (Ether net Ports 1-8, Por t Channel ) Command Usage • The prece dence for priority map ping is IP Por t, IP Preced ence or IP DSCP, and defau lt switch port priority . • This comm and se ts the IP port pr iority for all int erfaces. Example The follow i[...]

  • Page 405

    Priority Co mmands 4-193 4 map ip pr ecedence (Interface Configu ration) This co mmand se ts IP preced ence p riority (i.e. , IP T ype of Se rvice p riority). Us e the no form to restore the default table . Syntax map ip preceden ce ip-prec edence-valu e cos cos-valu e no map ip preceden ce • precede nce-value - 3-bit prec edence va lue. (Ra nge:[...]

  • Page 406

    Command Line I nterface 4-194 4 Command Usage • The prece dence for priority map ping is IP Por t, IP Preced ence or IP DSCP, and defau lt switch port priority . • IP Prece dence and IP DSCP c annot bo th be enab led. Enabl ing one of these priority types will a utomatically d isable the other type. Example The follow ing exampl e shows how to [...]

  • Page 407

    Priority Co mmands 4-195 4 • DSCP pr iority va lues are m apped to def ault Clas s of Serv ice value s accor ding to recomme ndations in the IEEE 802.1p s tandard, a nd then subse quently mapp ed to the eigh t hard war e prior ity queu es. • This comma nd sets the I P DSCP priority fo r all i nterfaces. Example The follow ing exampl e shows how[...]

  • Page 408

    Command Line I nterface 4-196 4 show ma p ip precede nce This comm and show s the IP prec edence pr iority map . Syntax show m ap ip p reced ence [ interface ] interfa ce • etherne t unit / port - unit - This is unit 1. - port - Port num ber. (Rang e: 1-8) • port-chann el cha nnel-id (Rang e: 1-4) Default Sett ing None Command Mode Privileged E[...]

  • Page 409

    Multicast Filte ring Commands 4-197 4 Default Sett ing None Command Mode Privileged Exec Example Related Commands map ip dscp ( Global Co nfigurat ion) (4-193) map ip d scp ( Int erfac e Co nfi gura tion ) (4 -194 ) Multicast Filtering Comma nds This switc h uses IGM P (Internet Gr oup Mana gement Pr otocol) to que ry for any attached ho sts that w[...]

  • Page 410

    Command Line I nterface 4-198 4 IGMP Snooping Commands ip igmp sn ooping This comm and ena bles I GMP snoo ping on t his swit ch. Use the no form t o di sabl e it. Syntax [ no ] ip igm p snooping Default Sett ing Enabled Command Mode Global Co nfigurati on Example The follow ing exampl e enable s IGMP sno oping. ip igmp sn ooping v lan static This [...]

  • Page 411

    Multicast Filte ring Commands 4-199 4 Example The follow ing shows h ow to staticall y configur e a multicas t group on a port: ip igmp sn ooping v ersion This c ommand config ures the IGMP snoopi ng ver sion. Us e the no form to re store the defaul t. Syntax ip igmp s nooping version { 1 | 2 } no ip igmp snooping ve rsion • 1 - IGMP Version 1 ?[...]

  • Page 412

    Command Line I nterface 4-200 4 Example The fo llowing shows the c urrent IG MP s nooping c onfigu ration: show ma c-address-tab le multic ast This comm and show s know n multicast ad dresses . Syntax show m ac-add ress-table mul ticast [ vl an vlan-id ] [ user | igmp-snooping ] • vlan-i d - VLA N ID ( R ange: 1-4 094) • user - Display onl y th[...]

  • Page 413

    Multicast Filte ring Commands 4-201 4 IGMP Query Commands (Layer 2) ip igmp sn ooping qu erier This co mmand enables the sw itch as an IGM P queri er . Use the no form to disabl e it. Syntax [ no ] ip igm p snooping quer ier Default Sett ing Enabled Command Mode Global Co nfigurati on Command Usage If enabled , the switch w ill serve as qu erier if[...]

  • Page 414

    Command Line I nterface 4-202 4 Command Mode Global Co nfigurati on Command Usage The que ry coun t def ines ho w long the q uerier w aits for a respo nse fr om a multicast client before taking a ction. If a quer ier has sent a num ber of q ueries defined by thi s com mand, b ut a c lient h as no t respon ded, a coun tdown timer is started usin g t[...]

  • Page 415

    Multicast Filte ring Commands 4-203 4 Default Sett ing 10 seco nds Command Mode Global Co nfigurati on Command Usage • The swit ch must be us ing IGMPv2 for this command to t ake effect. • This com mand de fines the time after a quer y, during wh ich a resp onse is expecte d from a mu lticast c lient. I f a q uerier h as sent a nu mber of que r[...]

  • Page 416

    Command Line I nterface 4-204 4 Example The follow ing shows h ow to con figure the def ault time out to 300 sec onds: Related Commands ip i gmp s noo ping ver sion (4- 199) Static Multi cast Routing Commands ip igmp sn ooping v lan mrouter This comm and statica lly configures a multicast router por t. Use the no form to remov e the config uration.[...]

  • Page 417

    IP Interface Co mmands 4-205 4 Example The follow ing sh ows how to configure port 1 as a mul ticast route r port within VLAN 1: show ip igmp snoopin g mrouter This comm and di splays infor mation on statically co nfigured and dy namical ly learned multicast router por ts. Syntax show ip igmp snooping mrouter [ vl an vlan-id ] vlan-id - VLAN ID (Ra[...]

  • Page 418

    Command Line I nterface 4-206 4 ip addr ess This command set s the IP address for th e currently se lected VLAN interface . Use the no form to rest ore t he defa ult IP addr ess. Syntax ip addres s { ip-address ne tmask | bootp | dhcp } no ip address • ip-a ddre ss - IP addres s • netma sk - Netw ork m ask for the associ ated IP subn et. This m[...]

  • Page 419

    IP Interface Co mmands 4-207 4 Example In the follo wing exampl e, the devi ce is assig ned an addr ess in VLAN 1. Related Commands ip dhcp restar t (4-207 ) ip default-g ateway This comm and establi shes a static route be tween this switch an d devices that exist on anothe r networ k segmen t. Use the no fo rm to remov e the static rout e. Syntax [...]

  • Page 420

    Command Line I nterface 4-208 4 • DHCP requires t he server to rea ssign the cli ent’s last address if availabl e. • If the BOOTP or DHCP server has b een moved to a di fferent domain , the network portion of the add ress provided t o the c lient will b e base d on this new domain. Example In the follo wing exam ple, the de vice is rea ssigne[...]

  • Page 421

    IP Interface Co mmands 4-209 4 Related Commands ip default- gateway (4-207 ) ping This comm and sends ICMP echo reque st packets to anothe r node on th e network . Syntax ping host [ count count ][ size size ] • host - IP ad dre ss or IP alias of the ho st. • count - Nu mber of pack ets to se nd. (Rang e: 1-16, defau lt: 5) • size - Num ber o[...]

  • Page 422

    Command Line I nterface 4-210 4 DNS Commands Thes e comma nds ar e used t o conf igur e Domai n Nami ng Syst em (DN S) ser vice s. Y ou can ma nual ly co nfigu re en tri es in the DNS domai n nam e to IP addr ess mapp ing table, config ure defaul t domain na mes, or spe cify one or more nam e server s to use for domain name to addr ess transl ation[...]

  • Page 423

    DNS Commands 4-211 4 Command Usage Servers or other netw ork devices may suppo rt one or mor e connect ions via multiple IP address es. If more t han one IP ad dress is asso ciated with a host name usi ng this com mand, a D NS client can try each ad dress in succ ession , until it establishes a c onnection with the targe t device . Example Thi s ex[...]

  • Page 424

    Command Line I nterface 4-212 4 Default Sett ing None Command Mode Global Co nfigurati on Example Related Commands ip d omai n-l ist ( 4- 212) ip name-s erver (4-2 13) ip d omai n-l ookup (4- 214 ) ip domain- list This comm and de fines a list of do main nam es that can be append ed to incom plete host nam es (i.e., ho st names passe d from a clien[...]

  • Page 425

    DNS Commands 4-213 4 Example This examp le adds t wo domai n names to th e curren t list and then di splays the list. Related Commands ip d omai n-na me (4- 21 1) ip name-s erver Thi s com mand s peci fies the a ddr ess of one o r mor e doma in na me se rver s to u se fo r name-to -addres s resolu tion. Use the no fo rm to rem ove a na me se rv er [...]

  • Page 426

    Command Line I nterface 4-214 4 Example Thi s exam ple ad ds two doma in- nam e server s to the lis t and th en dis play s the l ist. Related Commands ip d omai n-na me (4- 21 1) ip d omai n-l ookup (4- 214 ) ip domain- lookup This comm and enabl es DNS ho st name -to-addre ss translat ion. Use the no f orm to disable D NS. Syntax [ no ] ip dom ain[...]

  • Page 427

    DNS Commands 4-215 4 Related Commands ip d omai n-na me (4- 21 1) ip name-s erver (4-2 13) show hos ts This comm and disp lays the static host name- to-addre ss mappi ng table. Command Mode Privileged Exec Example Note that a host name will be displayed as an a lias if it is mapped to the same address (es) as a prev iously con figured en try . show[...]

  • Page 428

    Command Line I nterface 4-216 4 show dns cache This comm and disp lays ent ries in the DN S cache . Command Mode Privileged Exec Example clear dns cac he This comm and clea rs all entries in the DNS cac he. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE IP TTL DOMAIN 0 4 CNAME 10.2.44.96 893 pttch_pc.accton.com.tw 1 4 CNAM[...]

  • Page 429

    A-1 Appendix A: Software Specifications Software Features Authentication Local, RADIUS, T ACACS, Port (802.1X), HTTPS , SSH, Port Security Acce ss Cont rol List s IP , M AC (up t o 32 lists) DHCP Client DNS Server Port Co nfiguration RJ-45: 10 0BASE-TX: 10/ 100 Mbps at half /full duplex 33 XFP: 10GBASE-S R/LR - 10 Gbps at full duplex 34 Broadca st [...]

  • Page 430

    Software Specifi cations A-2 A Addi tio nal Feat ures BOOTP client SNTP (Simpl e Network Time Protocol) SNMP (Si mple Netwo rk Manag ement Proto col) RMON (R emote M onitoring , groups 1,2,3, 9) SMTP Ema il Alerts Management Features In-Band Mana gement T eln et, web-bas ed HTTP or HTTPS , SNMP ma nager , or Secure Sh ell Out-of -Band Ma nagem ent [...]

  • Page 431

    Management Infor mation Bases A-3 A SNTP (RFC 2030) SSH (V ersion 2.0) TFTP (RFC 13 50) Management Information Bases Bridge MIB (R FC 1493) Entity MI B (RFC 2737) Ether-l ike MIB (RFC 2 665) Extende d Bridge MIB (RF C 2674) Extensible SNMP Age nts MIB (RFC 2742) IGMP MIB (RFC 2933) Interface G roup MIB (RFC 2233 ) Int erf ace s Evol utio n MIB (RFC[...]

  • Page 432

    Software Specifi cations A-4 A[...]

  • Page 433

    B-1 Appe ndix B: Trou blesho oting Problems Accessing the Management Interface T able B-1 T rou bles hooti ng Cha rt Sympt om A ctio n Cannot co nnect using T elne t, web brow ser, or SNMP software • Be su re the swit ch is po wered up . • Check networ k cabling betwee n the man ageme nt station and the s witch. • Check that you have a va lid[...]

  • Page 434

    T roubleshooti ng B-2 B Using System Logs If a fau lt does occur , refer t o the Inst allation Gu ide to ensur e that the pr oblem you encount ered is act ually cause d by the swi tch. If the prob lem app ears to be c aused by th e swit ch, fol lo w these st ep s: 1. Enable logg ing. 2. Set the erro r messages report ed to include al l categor ies.[...]

  • Page 435

    Glos sary -1 Glossary Acces s Control Lis t (ACL) ACLs can lim it net work traf f ic and re stri ct ac cess to ce rt ai n users or devi ces by checkin g each packet for certain IP or MAC (i.e. , Layer 2) info rmation . Boot Protocol (BOOTP) BOOTP is use d to provid e bootup in formatio n for netw ork device s, includin g IP address information , th[...]

  • Page 436

    Glossary Glossar y-2 Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authenticatio n protocol used by this switch to verify the ne twork access rig hts for any devi ce that is plug ged into th e switch. A us er name an d password is requested by the swit ch, and then pass ed to an aut henticat ion server (e.g., RADIUS) for ver[...]

  • Page 437

    Glos sary -3 Glossary IEEE 802.1X Port Authen ticatio n controls access to the switch po rts by requiring us ers to fir st enter a user ID and passwo rd for auth entication . IEEE 802.3a c Defines fram e extensi ons for VLAN taggin g. IGMP Snoo ping Listenin g to IGMP Query and IGMP Repo rt packets transferred betwee n IP Multicast Routers and IP M[...]

  • Page 438

    Glossary Glossar y-4 Link Agg regation Con trol Pr otocol (LA CP) Allows por ts to automa tically ne gotiate a trunke d link with LACP-c onfigured p orts on another device. Mana gement Informat ion Base (MIB) An acrony m for Mana gement In formatio n Base. It is a set of database objec ts that contains i nformat ion abou t a specific device . MD5 M[...]

  • Page 439

    Glos sary -5 Glossary Quality of Service (QoS) QoS refer s to the capabilit y of a network to provide be tter serv ice to select ed traffic flows us ing features such as data pr ioritization, queuing , congestion avoidanc e and tra ff ic shapi ng. T hes e fe atur es ef f ectiv ely prov ide pref eren tial tr eatme nt t o spe cif ic flows eit her by [...]

  • Page 440

    Glossary Glossar y-6 Telnet Defines a r emote communicati on facility for interfa cing to a t erminal device ov er TCP/IP . Termin al Access Co ntroller Ac cess Con trol System Plus (TACACS+) TACACS+ i s a logon a uthenticat ion proto col that uses s oftware ru nning on a cen tral server to co ntrol a ccess t o T ACACS- compliant dev ices on the ne[...]

  • Page 441

    Index-1 Numerics 802.1X, po rt authenticatio n 3-64, 4-78 A accepta ble fram e type 3-141 , 4-172 Acce ss Co ntrol List See ACL ACL Extende d IP 3-74 , 4-86 , 4-87, 4-90 MAC 3-74, 4-86, 4-100 , 4-101–4 -103 Standard I P 3-74, 4-86 , 4-87, 4-89 addr ess t able 3-109 , 4-14 6 aging time 3-112, 4-14 9 B BOOTP 3- 15, 4-20 6 BPDU 3-113 broadca st st o[...]

  • Page 442

    Index-2 Index H har dware ver sion , di spla ying 3-10 , 4-61 HTTPS 3-55 , 4-30 HTT PS, se cur e serv er 3-55, 4-30 I IEEE 802.1D 3 -112, 4-151 IEEE 802.1s 4-151 IEEE 802.1w 3 -112, 4-151 IEEE 802 .1X 3-64, 4-78 IGM P descript ion of protoc ol 3-160 groups, displaying 3-165, 4-20 0 Laye r 2 3-160 , 4-19 8 quer y 3-160, 4-201 query, Layer 2 3-1 61, [...]

  • Page 443

    Index-3 Index capa bil iti es 3-88, 4-12 8 duplex mo de 3-88, 4-126 speed 3- 88, 4-12 6 ports, con figurin g 3-85, 4-125 por ts, m irr ori ng 3-103, 4-134 priority, def ault port in gress 3-14 7, 4-187 problem s, troub leshoot ing B-1 protocol migrati on 3-125, 4-165 Q queue w eights 3-151, 4- 188 R RADIUS , logon auth enticati on 3-52, 4-71 rate l[...]

  • Page 444

    Index-4 Index displayi ng por t memb ers 3-1 36, 4-176 egress m ode 3-142, 4-171 interface co nfigurat ion 3-141 , 4-172–4 -175 private 3-1 43, 4- 177 protocol 3- 144, 4-1 78 W Web in terface acces s requ ir ement s 3-1 configu ration but tons 3-3 home p age 3-2 menu list 3-4 panel display 3-3[...]

  • Page 445

    [...]

  • Page 446

    ES5508 E042005-R 01 14910002 2900A[...]