SMC Networks SMC8126PL2-F manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation SMC Networks SMC8126PL2-F. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel SMC Networks SMC8126PL2-F ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation SMC Networks SMC8126PL2-F décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation SMC Networks SMC8126PL2-F devrait contenir:
- informations sur les caractéristiques techniques du dispositif SMC Networks SMC8126PL2-F
- nom du fabricant et année de fabrication SMC Networks SMC8126PL2-F
- instructions d'utilisation, de réglage et d’entretien de l'équipement SMC Networks SMC8126PL2-F
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage SMC Networks SMC8126PL2-F ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles SMC Networks SMC8126PL2-F et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service SMC Networks en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées SMC Networks SMC8126PL2-F, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif SMC Networks SMC8126PL2-F, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation SMC Networks SMC8126PL2-F. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    MANA GEMENT GUIDE ta Tige rSwitch TM 10 /100 / 1000 L2 -Lite SMB P oE Gigabit S witch SMC812 6PL2 -F[...]

  • Page 2

    [...]

  • Page 3

    20 Mason Ir vine, CA 92618 Phone: (949) 67 9-8000 Tige rSwitch 10/100/1000 Management Guide F rom SMC’ s Tiger line of f eature-rich wor kgroup LAN solutions August 2009 Pub. # 149100 000023A E082009/M W-R01[...]

  • Page 4

    Information furnished by SMC Networ ks, Inc. (SMC) is believed to be accurate and reliable. However , no re sponsibility is as sumed by SMC for its use, nor for any infringements of patents or other rights of third p arties w hich may result from its use. No license is granted by im plication or otherwise under any patent or patent rights of SMC. S[...]

  • Page 5

    v About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network admin istrators who are responsible for operating and maintaining network equipment; cons equently , it assumes a basic working knowledge of general switch functions, th[...]

  • Page 6

    vi[...]

  • Page 7

    vii Contents Chapter 1: Intr oductio n 1-1 Key Features 1-1 Description of Software Features 1-2 System Defaults 1-6 Chapter 2: Initial Configuratio n 2-1 Connecting to the Switch 2-1 Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3 Basic Configuration 2-3 Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2[...]

  • Page 8

    Contents viii Saving or Restoring Configuration Settings 3-22 Downloading Configuration Setti ngs from a Server 3-23 Console Port Setti ngs 3-24 Telnet Settings 3-26 Configuring Event Logging 3-28 System Log Configuration 3-28 Remote Log Configuration 3-29 Displaying Log Message s 3-31 Simple Mail Transfer Protocol 3-31 Renumbering the System 3-33 [...]

  • Page 9

    Contents ix Generating the Host Key Pair 3-77 Configuring the SSH Server 3-79 Configuring 802.1X Port Authenticati on 3-80 Displaying 802.1X Global Settin gs 3-81 Configuring 802.1X Global Setti ngs 3-82 Configuring Port Settings for 802.1X 3-83 Displaying 802.1X Statistics 3-86 Filtering IP Addresses for Managemen t Access 3-87 General Security Me[...]

  • Page 10

    Contents x Setting a Switch Po wer Budget 3-136 Displaying Port Power Status 3-136 Configuring Port PoE Power 3-137 Address Table Settings 3-139 Setting Static Addresses 3-139 Displaying the Address Table 3-140 Changing the Aging Time 3-141 Spanning Tree Algo rithm Configuration 3-142 Displaying Global Settings for STA 3-144 Configuring Globa l Set[...]

  • Page 11

    Contents xi Quality of Service 3-200 Configuring Quality of Service Parameters 3-201 Configuring a Class Map 3-201 Creating QoS Policies 3-204 Attaching a Policy Map to Ingress Queues 3-207 Multicast Filtering 3-208 Layer 2 IGMP (Snooping and Query) 3-209 Configuring IGMP Snooping and Query Parameters 3-210 Enabling IGMP Immediate L eave 3-212 Disp[...]

  • Page 12

    Contents xii Partial Keyword Lookup 4-5 Negating the Effect of Commands 4-5 Using Command History 4-5 Understanding Command Mo des 4-6 Exec Commands 4-6 Configuration Commands 4-7 Command Line Processing 4-9 Command Groups 4-10 General Commands 4-11 enable 4-11 disable 4-12 configure 4-12 show history 4-13 reload 4-13 prompt 4-14 end 4-14 exit 4-15[...]

  • Page 13

    Contents xiii speed 4-38 stopbits 4-38 disconnect 4-39 show line 4-39 Event Logging Comman ds 4-40 logging on 4-41 logging history 4-42 logging host 4-43 logging facility 4-43 logging trap 4-44 clear log 4-44 show logging 4-45 show log 4-46 SMTP Alert Commands 4-47 logging sendmail host 4-47 logging sendmail leve l 4-48 logging sendmail source-e ma[...]

  • Page 14

    Contents xiv snmp-server engine-id 4-68 show snmp engine-id 4-69 snmp-server view 4-69 show snmp view 4-71 snmp-server group 4 -71 show snmp group 4-73 snmp-server us er 4-74 show snmp use r 4-75 Authentication Commands 4 -76 User Account and Privileg e Level Commands 4-77 username 4-77 enable password 4-78 privilege 4-79 privilege rerun 4 -79 show[...]

  • Page 15

    Contents xv Web Server Comman ds 4-99 ip http port 4-99 ip http server 4-100 ip http secure-server 4-100 ip http secure-port 4-101 Telnet Server Commands 4-102 ip telnet server 4-102 Secure Shell Commands 4-103 ip ssh server 4-105 ip ssh timeout 4-106 ip ssh authentication-retries 4-106 ip ssh server-key size 4-107 delete public-key 4-107 ip ssh cr[...]

  • Page 16

    Contents xvi show network-access mac-address-table 4-130 DHCP Snooping Command s 4-131 ip dhcp snooping 4-132 ip dhcp snooping vlan 4-133 ip dhcp snooping trus t 4-134 ip dhcp snooping verify mac-address 4-135 ip dhcp snooping information option 4-136 ip dhcp snooping information poli cy 4-137 show ip dhcp snooping 4-138 show ip dhcp snooping bindi[...]

  • Page 17

    Contents xvii show interfaces switchport 4-165 Link Aggregation Commands 4-167 channel-group 4-168 lacp 4-169 lacp system-priority 4-170 lacp admin-key (Ethernet Interface) 4-171 lacp admin-key (Port Channel) 4-172 lacp port-priority 4-173 show lacp 4-174 Mirror Port Commands 4-178 port monitor 4-178 show port monitor 4-179 RSPAN Mirroring Commands[...]

  • Page 18

    Contents xviii mst priority 4-203 name 4-204 revision 4-205 max-hops 4-205 spanning-tree spanning-disab led 4-206 spanning-tree cost 4-206 spanning-tree port-priority 4-208 spanning-tree edge-port 4-208 spanning-tree portfast 4-209 spanning-tree link-type 4-210 spanning-tree mst cost 4-2 11 spanning-tree mst port-priority 4-212 spanning-tree protoc[...]

  • Page 19

    Contents xix Configuring Private VLANs 4-235 private-vlan 4-236 private vlan associati on 4-237 switchport mode private-vlan 4-238 switchport private-vlan host-association 4-238 switchport private-vlan mapping 4-239 show vlan private-vlan 4-239 Configuring Protocol-based VL ANs 4-240 protocol-vlan proto col-group (Configuring Groups) 4-241 protocol[...]

  • Page 20

    Contents xx IGMP Snooping Commands 4-266 ip igmp snooping 4-267 ip igmp snooping vlan static 4-267 ip igmp snooping version 4-268 ip igmp snooping leave-proxy 4-2 68 ip igmp snooping immediate -leave 4-269 show ip igmp snooping 4-270 show mac-address-table multicast 4-270 IGMP Query Commands (Layer 2) 4-271 ip igmp snooping querier 4-271 ip igmp sn[...]

  • Page 21

    Contents xxi ip default-gateway 4-298 ip dhcp restart 4-299 show ip interface 4-299 show ip redirects 4-300 ping 4-300 Appendix A: Software Specifications A -1 Software Features A-1 Management Features A-2 Standards A-2 Management Information Bases A-3 Appendix B: Trouble shooting B-1 Problems Accessing the Ma nagement Interface B-1 Using System Lo[...]

  • Page 22

    Contents xxii[...]

  • Page 23

    xxiii Tables Table 1-1 Key Featur es 1-1 Table 1-2 System Defau lts 1-6 Table 3-1 Configuration Options 3-3 Table 3-2 Main Menu 3-4 Table 3-3 Logging Levels 3-28 Table 3-5 Supported Notification Messages 3-49 Table 3-6 HTTPS System Support 3-73 Table 3-7 802.1X Statistics 3-86 Table 3-8 LACP Port Counters 3-122 Table 3-9 LACP Internal Configuration[...]

  • Page 24

    T ables xxiv Table 4-25 Authentication Comma nds 4-76 Table 4-24 show snmp user - display descrip tion 4-76 Table 4-26 User Access Commands 4-77 Table 4-27 Default Login Settings 4-77 Table 4-28 Authentication Sequen ce 4-80 Table 4-29 RADIUS Client Commands 4-83 Table 4-30 TACACS Commands 4-86 Table 4-32 Web Server Commands 4-99 Table 4-33 HTTPS S[...]

  • Page 25

    Ta b l e s xxv Table 4-76 Priority Commands 4-244 Table 4-77 Priority Comma nds (Layer 2) 4-244 Table 4-78 Defaul t CoS Values to Egress Queues 4-248 Table 4-79 Priority Comma nds (Layer 3 and 4) 4-250 Table 4-81 IP DSCP to CoS Vales 4-253 Table 4-82 Quality of Service Comma nds 4-257 Table 4-83 Multicast Filtering Command s 4-266 Table 4-84 IGMP S[...]

  • Page 26

    T ables xxvi[...]

  • Page 27

    xxvii Figures Figure 3-1 Home Pa ge 3 -2 Figure 3-2 Panel Disp lay 3 -3 Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-13 Figure 3-5 Bridge Exte nsion Configuration 3-15 Figure 3-6 Man ual IP Configuration 3-17 Figure 3-7 DHCP IP Configuration 3-18 Figure 3-8 Bridge Exte nsion Configuration 3-19 Figure 3- 9 Copy Firmware 3-21 Fi[...]

  • Page 28

    Figures xxviii Figure 3-43 AAA Accounting Summary 3-69 Figure 3-44 AAA Authorization Settings 3-71 Figure 3-45 AAA Authorization Exec Settings 3-71 Figure 3-46 AAA Authorization Summary 3-72 Figure 3- 47 HTTPS Se ttings 3-74 Figure 3-48 SSH Host-Key Settings 3-78 Figure 3-49 SSH Server Settings 3-79 Figure 3- 50 802.1X Glob al Information 3-81 Figu[...]

  • Page 29

    Figures xxix Figure 3-88 Se tting the Address Aging Ti me 3-141 Figure 3-89 Displayi ng Spanning Tree Information 3-146 Figure 3-90 Configu ring Spanning Tree 3-150 Figure 3-91 Displayi ng Spanning Tree Port Information 3-153 Figure 3-92 Configu ring Spanning Tree per Port 3-157 Figure 3-93 Configu ring Multiple Spanning Trees 3-159 Figure 3-94 Dis[...]

  • Page 30

    Figures xxx Figure 3-133 MVR Port Configuration 3-229 Figure 3-134 MVR Group Member Configuration 3- 230 Figure 3-135 DNS General Configuratio n 3-232 Figure 3-136 DNS Static Host Table 3-234 Figure 3-137 DNS Cache 3-235 Figure 3-138 Cluster Member Choice 3-236 Figure 3-139 Clu ster Configuration 3- 237 Figure 3-140 Cluster Member Config uration 3-[...]

  • Page 31

    1-1 Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching . It includes a management agent that allows you to config ure the features listed in thi s manual. The default configurati on can be used for most of the featu res provided by this switch. However , there are many options that you should configure to m[...]

  • Page 32

    Introduction 1-2 1 Description of Software Features The switch provides a wide range of advanced perf ormance enhancing features. Flow control eliminates the l oss of packet s due to bottlenecks caused by port saturation. S torm suppression prevent s broadcast, multicast or unknown unicast traff ic storms from engulfing th e networ k. Port-base d, [...]

  • Page 33

    Description of Softwa re Features 1-3 1 Port Conf igurati on – Y ou can manually confi gure the speed, duplex mode, a nd flow control used on specif ic ports, or use auto-neg otiation to detect the connection settings used by the at tached devic e. Use the full-duplex mode on ports wheneve r possible to double t he throughput of switch connection[...]

  • Page 34

    Introduction 1-4 1 (CRC). This prevents bad f rames from entering the net work and wasting ban dwidth. T o avoid dropping frames on c ongested port s, the switch provi des 4 Mbits f or frame buffe ring. This buf fer can queue packets await ing transmission on congest ed networks. Sp anning T ree Algorithm – The switch support s these span ning tr[...]

  • Page 35

    Description of Softwa re Features 1-5 1 T raffic Pr ioritization – This switch prioritizes each packe t based on the required level of service, using fo ur priority queues with stri ct or Weighted Ro und Robin Queuing. It uses IEEE 802.1 p and 802.1Q tags to pri oritize incoming traffic based on input from the end-st ation application. These func[...]

  • Page 36

    Introduction 1-6 1 System Defaults The switch’s system default s are provided in the configuration file “Factory_Default_Config. cfg.” To reset the swi tch defaults, th is file should be set as the startup config uration file (page 3-22). The following t able list s some of the basic system defaults. T able 1 -2 Syste m Default s Function Par[...]

  • Page 37

    System Defaults 1-7 1 SNMP SNMP Agent Enabled Community Strings “public” (read only), “private” (read/write) T raps Authentication t raps: enabled Link-up-down even ts: enabled SNMP V3 View: defa ult view Group: public (read only) private (read/write) Port Config uration Admin Status Ena bled Auto-negotiation Enabled Flow Cont rol Disabled [...]

  • Page 38

    Introduction 1-8 1 IP Settings IP A ddress DHCP assigned Subnet Mask 25 5.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled DNS Client/Proxy service: Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0-7 (all) Messag[...]

  • Page 39

    2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in net work management agent. The agent of fers a variety of management options, including SNMP , RMON (Group s 1, 2, 3, 9) and a web-based interface . A PC may also be connected directly t o the switch for configuration and monitoring vi[...]

  • Page 40

    Initial Configuration 2-2 2 • Configure up to 32 stati c or LACP trunks • Enable port mirroring • Set broadcast, mu lticast or unk nown unicast storm control on any port • Display syst em information a nd statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring an[...]

  • Page 41

    Basic Configuration 2-3 2 Remote Connections Prior to accessing the switch’ s onboard agent via a network connection, you must first config ure it with a valid IP ad dress, subnet mask, and defau lt gateway u sing a console connection, DHCP or BOOTP protocol . The IP address for this switch is obtained via DHCP by d efault. T o manual ly configur[...]

  • Page 42

    Initial Configuration 2-4 2 Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names us ing the “usern ame” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric c haracters and are cas e sensitive. T o prevent unauthori[...]

  • Page 43

    Basic Configuration 2-5 2 Before you can assign an IP address to the swit ch, you must obt ain the following information fr om your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this ne twork T o assign an IP address to the switch, complete the fol lowing step s: 1. From the Global Con[...]

  • Page 44

    Initial Configuration 2-6 2 4. If network connections ar e normally slow , type “ip dhcp restart ” to re-start broadcasting service reque sts. Press <Ent er>. 5. W ait a few minutes, and then check the IP configurati on settings by typ ing the “show ip interface” command. Pre ss <Enter>. 6. Then save your conf iguration change s[...]

  • Page 45

    Basic Configuration 2-7 2 The default strings are: • public - with read-only access. Authorized management st ations are only able to retrieve MIB objects . • private - with read-write access. Authoriz ed management stat ions are able to b oth retrieve and modify MIB ob jects. T o prevent unauthorized access t o the switch from SNMP version 1 o[...]

  • Page 46

    Initial Configuration 2-8 2 Configuring Access for SNMP Version 3 Clients T o configure management access f or SNMPv3 clients, you need to f irst create a view that defines the portions of MIB that the cl ient can read or writ e, assign the vi ew to a group, and then assi gn the user to a group. The f ollowing example create s one view called “mi[...]

  • Page 47

    Managing System Fi les 2-9 2 Due to the size limit of the flash memory , th e switch support s only two operation code files. However , you can have as many dia gnostic code files and configuration files as availa ble flash memory sp ace allows. The s witch has a tot al of 16 Mbytes of flash memory for system f iles. In the system flash memory , on[...]

  • Page 48

    Initial Configuration 2-10 2[...]

  • Page 49

    3-1 Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web ag ent. Using a web browser you can configure the switch and view statistics to monitor network activity . The web agent can be accessed by any computer on th e network using a st andard web browser (Internet Explo rer 5.0 or above, Net scape 6.2[...]

  • Page 50

    Configuring the Switch 3-2 3 Navigating the Web Browser Interface T o access the web-browser interface you must f irst enter a user name and password. The administra tor has Read/Write access to all configurati on parameters and stat istics. The def ault user name and p assword for the administrator is “ad min.” Home Page When your web browser [...]

  • Page 51

    Navigating the Web Browser Inte rface 3-3 3 Configuration Options Configurable p arameters have a dialog box or a drop-down li st. Once a configuration change has been made on a page, be sure to clic k on the Apply button to conf irm the new setting. The followi ng table summarize s the web page config uration buttons. Notes: 1. To ensure proper sc[...]

  • Page 52

    Configuring the Switch 3-4 3 Main Menu Using the onboa rd web agent , you can def ine system p arameters, manage and control the s witch, and all its p o rts, or monitor network c onditions. Th e following table brie fly describes the select ions available from thi s program. T able 3-2 Main Menu Menu Description Page System 3-1 1 System Informatio[...]

  • Page 53

    Navigating the Web Browser Inte rface 3-5 3 SNMPv3 3-43 Engine ID Sets the SNMP v3 engine ID on th is switch 3-43 Remote Engine ID Sets the SNMP v3 engine ID fo r a remote device 3-44 Users Configures SNMP v3 users on this switch 3-45 Remote Users Configures SN MP v3 users from a re mote device 3-47 Groups Configures SNMP v3 g roups 3-49 Views Conf[...]

  • Page 54

    Configuring the Switch 3-6 3 802.1X Port authenticat ion 3-80 Information Displays global configuration set tings 3-82 Configuration Configures the global conf iguration setting 3-82 Port Config uration Sets parameters for individual ports 3-83 Statistics Displays protocol stat istics f or the selected port 3-86 ACL Access Control Lists 3-91 Config[...]

  • Page 55

    Navigating the Web Browser Inte rface 3-7 3 Power Config Configures the power budget for the switch 3-136 Power Port Status Displays the status of port power parameters 3-136 Power Port Config Configures port power parameters 3-137 Address T able 3-139 Static Addresses Displays entries for interf ace, address or VLAN 3-139 Dynamic Addresses Displa [...]

  • Page 56

    Configuring the Switch 3-8 3 Trunk Configuration Specifies defaul t trunk VID and VLAN attributes 3-176 Tunnel Port Configuration Add s ports to a QinQ tunnel 3-182 Tunnel Trunk Configuration Adds trunks to a QinQ tunnel 3-182 Private VLAN 3-184 Status Enables or disables the priv ate VLAN 3-184 Link Status Configures the private VLAN 3-185 Protoco[...]

  • Page 57

    Navigating the Web Browser Inte rface 3-9 3 IGMP Immediate Leave Enables the immediate leave fun ction 3-212 Multicast Router Port Information Displays the ports that are atta ched to a neigh boring multicast router for each VLAN ID 3-214 Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast router 3-[...]

  • Page 58

    Configuring the Switch 3-10 3 Binding Information Displays the DHCP Snooping binding information 3-106 IP Source Guard 3-107 Port Configura tion Enables IP source guard and selects filter type per port 3-107 Static Configuration Adds a static addre sse s to the source-g uard binding table 3-109 Dynamic Information Displays the source-guard bin ding[...]

  • Page 59

    Basic Configuration 3-11 3 Basic Configuration This section descri bes the basic functions require d to set up manag ement access to the switch, displa y or upgrade operating sof tware, or reset the system. Displaying System Information Y ou can easily identify the system by displ aying the device name, lo cation and contact i nformation. Field Att[...]

  • Page 60

    Configuring the Switch 3-12 3 Web – Click System, System Information. S pecify the system name, location, and contact information for the system admini strator , then click Apply . (This page also includes a T elnet button that allows acc ess to the Command Line Interface via T elnet.) Figure 3-3 System Information CLI – S pecify the ho stname,[...]

  • Page 61

    Basic Configuration 3-13 3 Displaying Switch Hardware/Software Versions Use the Switch Information p age to display hardware/f irmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. • Number of Ports – Numbe[...]

  • Page 62

    Configuring the Switch 3-14 3 CLI – Use the following command to di splay version informatio n. Console#show version 4-22 Unit 1 Unit 1 Serial Number: MWOR0AA134A00 09 Hardware Version: R01 EPLD Version: 0.00 Number of Ports: 26 Main Power Status: Up Redundant Power Status: Not present Agent (Master) Unit ID: 1 Loader Version: 1.0.0.2 Boot ROM Ve[...]

  • Page 63

    Basic Configuration 3-15 3 Displaying Bridge Extension Capabilities The Bridge MIB includes ext ensions for managed devices t hat support Multicast Filtering, T raffic Cl asses, and V irtual LANs. Y ou can access these extensions to display default sett ings for the key variables. Field Attributes • Extended Multicast Filtering Services – This [...]

  • Page 64

    Configuring the Switch 3-16 3 CLI – Enter the following command. Setting the Switch’s IP Address This section describes how to con figure an IP interface for management access over the network. T he IP addres s for the stack is obt ained via DHCP by default. T o manually configure an address, you need to change the swi tch’s default settings [...]

  • Page 65

    Basic Configuration 3-17 3 Manual Config uration Web – Click System, IP Configu ration. Select the VLAN thro ugh which the management st ation is attac hed, set the IP Address Mode to “S tatic,” enter the IP address, subnet mask and gat eway , then click Ap ply . Figure 3-6 Manual IP Conf iguration CLI – S pecify the management interf ace, [...]

  • Page 66

    Configuring the Switch 3-18 3 Using DHCP/BOOTP If your network provides DHCP/BOOTP serv ices, you can configure the switch to be dynamically con figured by these services. Web – Click Syste m, IP Conf iguration. S pecify the VLAN to which the management statio n is attached, set the IP Address Mode to DHCP or BOOTP . Click Apply to save your chan[...]

  • Page 67

    Basic Configuration 3-19 3 Renewing DCHP – DHCP may lease addresses to clients indefi nitely or for a specific period of t ime. If the address expires or the swi tch is moved to another network segment, you will lose management a ccess to the switch. In this case, you can reboot the switch or sub mit a client req uest to rest art DHCP service via[...]

  • Page 68

    Configuring the Switch 3-20 3 Managing Firmware Just specify the meth od of file transfer , along with the file ty pe and file names as required. By saving run- time code to a file on a TFTP server , that file can l ater be downloaded t o the switch t o restore operati on. Only two copies of the syste m software (i .e., the run-ti me firmware) can [...]

  • Page 69

    Basic Configuration 3-21 3 Web –Click System, File Manageme nt, Copy Operation. Se lect “tf tp to file” as the f ile transfer method, enter the I P address of the TFTP server , set the file type to “opcode,” enter the fi le name of the sof tware to download, select a file on t he switch to overwrite or specify a new fil e name, then click[...]

  • Page 70

    Configuring the Switch 3-22 3 CLI – T o download new firmware form a TFTP server , enter the IP address of the TFTP server , select “opco de” as the f ile type, t hen enter t he source and destination file names. When the file has finished downl oading, set the new file to start up the system, and then rest art the switch. T o start the new f[...]

  • Page 71

    Basic Configuration 3-23 3 Downloading Configuration Set tings from a Server Y ou can download the configuration file un der a new file name and then set it as the startup fi le, or you can specify the current st artup configurati on file as the destination file to directly replac e it. Note that the fil e “Factory_Default_Conf ig.cfg” can be c[...]

  • Page 72

    Configuring the Switch 3-24 3 CLI – Enter the IP address of the TFTP server , specif y the source file on the server , set the sta rtup file name on the switch, and then restart the swit ch. T o select another confi guration file as the st art-up configuration, use the bo ot system command and then rest art the switch. Console Port Settings Y ou [...]

  • Page 73

    Basic Configuration 3-25 3 • Speed – Sets the t erminal line’ s baud rate for transmit (to terminal) and receive (from terminal ). Set th e speed to match the baud rate of the device connect ed to the serial po rt. (Range: 96 00, 19200, 3840 0 baud; Default: 9600) • Stop Bits – Sets t he number of the stop bit s transmitted per byte . (Ra[...]

  • Page 74

    Configuring the Switch 3-26 3 CLI – Enter Line Configuration mode for the con sole, then specify th e connection parameters a s required. T o display the current console port s ettings, use the show line comm and from the Norm al Exec level. Telnet Settings Y ou can access the onboard configuration pr ogra m over the network using T elnet (i.e., [...]

  • Page 75

    Basic Configuration 3-27 3 • Password 2 – S pecifies a password for the li ne connection. When a conne ction is started on a line with password protect ion, the system prompts for the password. If you enter the correct passwor d, the system shows a pr ompt. (Default: No password) • Login 2 – Enables password check ing at login. Y ou can sel[...]

  • Page 76

    Configuring the Switch 3-28 3 Configuring Event Logging The switch allows yo u to control t he logging of error messages, includi ng the type of events th at are recorded in switch memory , lo gging to a remote System Log (syslog) server , and displays a list of recent event messages. System Log Configuration The system allows you to enable or disa[...]

  • Page 77

    Basic Configuration 3-29 3 Web – Click System, Log, System Logs. S pecify System Log S tatus, set the level of event messages to be logged to RAM and flash memory , then click Apply . Figure 3-16 System Logs CLI – Enable system l ogging and then sp ecify the level of messages to be logge d to RAM and flash memory . Use th e show logging command[...]

  • Page 78

    Configuring the Switch 3-30 3 • Host IP Ad dress – S pecifies a new server I P address to add to the Host IP List. Web – Click System, Log, Remote Logs. T o add an IP address to the Host IP List, type the new IP address in the Host IP Addr ess box, and the n click Add. T o delete an IP address, cli ck the entry i n the Host IP List, an d then[...]

  • Page 79

    Basic Configuration 3-31 3 Displaying Log Messages The Logs pa ge allows you to scroll through t he logged sy stem and event me ssages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset ) and up to 4096 entries in permane nt flash memory . Web – Click System, Log, Logs. Figure [...]

  • Page 80

    Configuring the Switch 3-32 3 • SMTP Server – Specifies a new SMTP server address to add to the SMTP Server List. • Email Destination Address List – S pecifies the email recipient s of alert messages. Y ou can specify up to five recipient s. Use the New Email Destination Address text fi eld and the Add/ Remove buttons t o configure the list[...]

  • Page 81

    Basic Configuration 3-33 3 CLI – Enter the IP address of at least one SMTP server , set the syslog severity level to trigger an emai l message, and spe cify the switch (source) and up to f ive recipient (destination) e mail addresses. Enab le SMTP with the logging sendmai l command to complete t he configurati on. Use the show logging sendmail co[...]

  • Page 82

    Configuring the Switch 3-34 3 CLI – Use the reload command to restart th e switch. When prompted, confi rm that you want to reset the switch. When restarting the system, it will alwa ys run the Power-On Self-Test. Resetting the System Web – Click System, Reset. Click the Re set button to reboot the switch. When prompted, confir m that you want [...]

  • Page 83

    Basic Configuration 3-35 3 Setting the System Clock Simple Network T ime Protocol (SNTP) allo ws the switch to set its internal clo ck based on periodic upda tes from a time server (SNTP or NTP). Maint aining an accurate time on the switch enables the system lo g to record meaningful dates and times for event entries . Y ou can also manually set th[...]

  • Page 84

    Configuring the Switch 3-36 3 Web – Sele ct SNTP , Configuration. Modify any of t he required paramet ers, and click Apply . Figure 3-22 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current ti me and settings. Setting the Time Zone SNTP uses Coordinated Universal T ime (o[...]

  • Page 85

    Simple Network Manag ement Protocol 3-37 3 Web – Select SNTP , Clock T ime Zone. Set the offset for your ti me zone relative to the UTC, and click Apply . Figure 3-23 Setting the Sys tem Clock CLI - This example shows how to set the time zone for the system clock. Simple Network Management Protocol Simple Network Management Protoc ol (SNMP) is a [...]

  • Page 86

    Configuring the Switch 3-38 3 Access to the switch using from cl ients using SNMPv3 provides additional securi ty features that cover messag e integrity , authentication, and encryption; as we ll as controlling u ser access to speci fic areas of the MIB tree. The SNMPv3 security structure consi sts of securit y models, with each model having it’s[...]

  • Page 87

    Simple Network Manag ement Protocol 3-39 3 Enabling the SNMP Agent Enables SNMPv3 service for all man agement client s (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP , Agent S tatus. Figure 3-24 Enabling SNMP Ag ent Status CLI – The following example ena bles SNMP on the switch. [...]

  • Page 88

    Configuring the Switch 3-40 3 Web – Click SNMP , Configuration. Add new community strings as required, select the access right s from the Access Mode drop-down li st, then click Add. Figure 3-25 Configuring S NMP Community Strings CLI – The following example adds the strin g “spiderman” with read/write acce ss. Specifying Trap Managers and [...]

  • Page 89

    Simple Network Manag ement Protocol 3-41 3 To send an inform to a SNMPv2c host, complet e these steps: 1. Enable the SNMP agent (3-39). 2. Enable trap informs as described in the followi ng pages. 3. Create a view with the required notificati on messages (3-52). 4. Create a group that includes the required notify vi ew (3-49). To send an inform to [...]

  • Page 90

    Configuring the Switch 3-42 3 • Enable Authentication Traps 3 – I ssues a notif ication message to specified IP trap managers whenever an i nvalid community string is submitted during the SNMP access authenticati on process. (Default: Ena bled) • Enable Link-up and Li nk-down Traps 3 – Issues a notification message whenever a port link is e[...]

  • Page 91

    Simple Network Manag ement Protocol 3-43 3 Configuring SNMPv3 Management Access T o configure SNMPv3 management access to the switch, follow these steps: 1. If you wa nt to change t he default engine ID, i t must be changed first before configuring othe r pa rameters. 2. S pecify read and write access views for the swit ch MIB tree. 3. Configure SN[...]

  • Page 92

    Configuring the Switch 3-44 3 Specifying a Remote Engi ne ID T o send inform messa ges to an SNMPv3 u ser on a remote de vice, you mus t first specify the engine ident ifier for the SNMP agent on the remote devi ce where the user resides. The remote engine ID is used to compute the security digest for authenticati ng and encrypting p ackets sent to[...]

  • Page 93

    Simple Network Manag ement Protocol 3-45 3 Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security l evel and assign ed to a group. The SNMPv3 group restricts us ers to a specific rea d, write, and notify view . Command Attributes • User Name – The name of user connecti ng to the [...]

  • Page 94

    Configuring the Switch 3-46 3 Web – Click SNMP , SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group , then click Add to save the configurati on and return to the User Name list. T o delete a user , check the box next to the user name, then cli ck Delete. T o change the assigned group of[...]

  • Page 95

    Simple Network Manag ement Protocol 3-47 3 Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security l evel and assign ed to a group. The SNMPv3 group restricts us ers to a specific rea d, write, and notify view . T o send inform messages to a n SNMPv3 user o n a remote device, y[...]

  • Page 96

    Configuring the Switch 3-48 3 Web – Click SNMP , SNMPv3, Remote Users. Cl ick New to co nfigure a us er name. In the New User pag e, define a name and as sign it to a group, t hen click Add to save the configuration and ret urn to the User Name list. T o delete a user , check the box next to the user name, th en click Delete. Figure 3-30 Configur[...]

  • Page 97

    Simple Network Manag ement Protocol 3-49 3 Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for it s assigned users, restricting them to specific read, write, and notify views. Y ou can use the pre-defined default groups or create new group s to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of[...]

  • Page 98

    Configuring the Switch 3-50 3 linkDown * 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity , acting in an agent role, has detected that the ifOperStatus object fo r one of its communication links is about to enter the down state from some other state (but not fro m the notPresent state). Th is other state is indicat ed by the inclu[...]

  • Page 99

    Simple Network Manag ement Protocol 3-51 3 Web – Click SNMP , SNMPv3, Groups. Click New to configure a new group. In the New Group page, d efine a name, assi gn a security model and level, and t hen select read and write views. Click Ad d to save the new group and ret urn to the Groups li st. T o delete a group, check the box next to the group na[...]

  • Page 100

    Configuring the Switch 3-52 3 Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified p ortions of the MIB tree. The predefined view “defaultvi ew” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees – Shows the currently[...]

  • Page 101

    Simple Network Manag ement Protocol 3-53 3 CLI – Use the snmp-server view command to confi gure a new view . This example view includes the MIB-2 i nterfaces tab le, and the wildcard mask se lects all in dex entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-69 Console(config)#exit Console#show snmp view 4-71 Vie[...]

  • Page 102

    Configuring the Switch 3-54 3 User Authentication Y ou can configure this switch to authen ticate users logging into the system for management access using l ocal or remote authenticat ion methods. Port-based authenticati on using IEEE 802.1X can also be conf igured to control ei ther management access to the up link ports or clie nt access to the [...]

  • Page 103

    User Authentication 3-55 3 Web – Click Security , User Account s. T o configure a new user account, specify a user name, select the user’s access level, the n enter a password and confi rm it. Click Add to save the new user account and add it to the Account List. T o change the password for a spec ific user , enter the user name and new passwor[...]

  • Page 104

    Configuring the Switch 3-56 3 Configuring Local/Remote Logon Authentic a tion Use the Authenticati on Settings menu to restrict management access based on specified user name s and passwo rds. Y ou can manually configure access right s on the switch, or you can use a remote access aut hentication server base d on RADIUS or T ACACS+ protocols. Remot[...]

  • Page 105

    User Authentication 3-57 3 Command Attributes • Authentication – Select the authenticatio n, or authenticatio n sequence required: - Local – User authentica t ion is pe rformed only l ocally by the switch. - Radius – User authentication is performed using a RADIUS server onl y. - TACACS – User authentication is perf ormed using a TACACS+ [...]

  • Page 106

    Configuring the Switch 3-58 3 Web – Click Securi ty , Authent ication Sett ings. T o configure local or remote authenticati on preferences, specify the aut hentication sequen ce (i.e., one to three methods), fill in the parameters for RADIUS or T ACAC S+ authentication if selected, and click Apply . Figure 3-34 Authenticati on Settings[...]

  • Page 107

    User Authentication 3-59 3 CLI – S pecify all t he required p arameters to enable logon authentica tion. Configuring Encryption Keys The Encryption Key feature pro vides a central locatio n for the management of all RADIUS and T ACACS+ server encrypti on keys. Command Attributes • RADIUS Se ttings - Global – Provides globally app licable RADI[...]

  • Page 108

    Configuring the Switch 3-60 3 - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch wil l not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encrypt ion key. • TACACS+ Settings - Global – Provides gl[...]

  • Page 109

    User Authentication 3-61 3 AAA Authorization and Accounting The Authenticati on, authorization, and acco unting (AAA) f eature provides the main framework for configurin g access control on the switch. The thre e security functio ns can be summarized as follows: • Authenticati on — Identifies users t hat request access to the net work. • Auth[...]

  • Page 110

    Configuring the Switch 3-62 3 Configuring AAA RADIUS Group Settings The AAA RADIUS Group Set tings screen def ines the conf igured RADIUS servers to use for account ing and authori zation. Command Attributes • Group Name - Defines a name for the RADIUS serv er group. (1-255 characters) • Server Index - Specifies the RADI US server and sequence [...]

  • Page 111

    User Authentication 3-63 3 Configuring AAA T ACACS+ Group Settings The AAA T ACACS+ Group Setting s screen defines the config ured T ACACS+ servers to use for accounti ng and authorization. Command Attributes • Group Name - Defi nes a name for the T ACACS+ server group. (1-255 characters) • Server - Specifies the T ACACS+ server to use for the [...]

  • Page 112

    Configuring the Switch 3-64 3 The group names “radius” and “taca cs+” specifies al l configu red RADIUS and TACACS+ hosts (see "Configuri ng Local/Remote Logon Authent ication" on page 3-56). Any ot her group name refers to a server group configured on t he RADIUS or TACACS+ Group Settings pages. Web – Click Security , AAA, Acco[...]

  • Page 113

    User Authentication 3-65 3 AAA Accounting Update This feature set s the interval at which accou nting updates are sent to account ing servers. Command Attributes Periodic Upd ate - Specifies the interval at whi ch the local account ing service updates informati on to the accounting server. (Range: 1-21 47483647 minutes; Default: Disab led) Web – [...]

  • Page 114

    Configuring the Switch 3-66 3 AAA Accounting 802.1X Port Settings This feature applies th e specified accounti ng method to an interface. Command Attributes • Port / Trunk - Specifies a port or trunk number. • Method Name - Specifie s a user define d method name t o apply to t he interface. This method must be defined i n the AAA Accounting Set[...]

  • Page 115

    User Authentication 3-67 3 AAA Accounting Exec Command Privileges This feature speci fies a method n ame to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privileg e levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply t o commands entered a t the sp[...]

  • Page 116

    Configuring the Switch 3-68 3 AAA Accounting Exec Settings This feature spe cifies a me thod name to a pply to cons ole and T elnet connections. Command Attributes Method Name - Specifie s a user define d method name to apply to console and Telnet connecti ons. Web – Click Security , AAA, Accounting, Exec Settings. Enter a d efined method name fo[...]

  • Page 117

    User Authentication 3-69 3 Web – Click Security , AAA, S ummary . Figure 3-43 AAA Accounting Summar y[...]

  • Page 118

    Configuring the Switch 3-70 3 CLI – Use the following command to di splay the currentl y applied accounting methods, and registered users. Authorization Settings AAA authorization is a feature that verifies a user ha s access to speci fic services . Command Attributes • Method Name – Specifies an autho rization method fo r service requests. T[...]

  • Page 119

    User Authentication 3-71 3 Web – Click Security , AAA, Authorization, Se ttings. T o configure a new authorizatio n method, specify a met hod name and a group name, select the servi ce, then click Add. Figure 3-44 AAA Authorization Settings CLI – S pecify the authorization method requi red and the server group. Authorization EXEC Setting s This[...]

  • Page 120

    Configuring the Switch 3-72 3 CLI – S pecify the authorizati on method to use for Console and T elnet interfac es. Authorization Summary The Authorizat ion Summary d isplays the configured autho rization met hods and the interfaces to which th ey are applied. Command Attributes • Authorizat ion Type - Displays th e authorization service . • M[...]

  • Page 121

    User Authentication 3-73 3 Configuring HTTPS Y ou can configure the switch to enable the Secure Hypertex t T ransfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to th e switch’ s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled inde pendently on t he s[...]

  • Page 122

    Configuring the Switch 3-74 3 Web – Click Securi ty , HTTPS Settin gs. Enable HTTPS and specify the port number , then click Appl y . Figure 3-47 HTTPS Setti ngs CLI – This example enables the HTTP secu re server and modifies the port number . Replacing the Default Secure-site Certificate When you log onto the web interface usi ng HTTPS (for se[...]

  • Page 123

    User Authentication 3-75 3 Configuring the Secure Sh ell The Berkley-st andard includes remote access tools originall y designed for Unix systems. Some of these tool s have also been implemented for Microsoft Windows and other envi ronments. These tools, i ncluding commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), a[...]

  • Page 124

    Configuring the Switch 3-76 3 3. Import Cl ient’ s Public Key to the Switc h – Use the co py t ftp public-key command (4-25) to copy a file cont aining the public key for all the SSH client’ s granted management access to the swit ch. (Note that these client s must be configured locally on the swit ch via the User Account s page as describ ed[...]

  • Page 125

    User Authentication 3-77 3 Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authenticati on using a preferred algorit hm is acceptabl e. b. If the specified algorithm is supported by th e switch, it notifi es the client to proceed with the authent ication process. Otherwise, it rejects the request [...]

  • Page 126

    Configuring the Switch 3-78 3 Web – Click Security , SSH, Host-Key Settings. Select the host-key type from th e drop-down box, select the opti on to save the host key from memory to flash (if required) prior t o generating t he key , an d then click Generate. Figure 3-48 SS H Host-Key Settings CLI – This example generates a host -key pair usi n[...]

  • Page 127

    User Authentication 3-79 3 Configuring the SSH Server The SSH server incl udes basic se ttings fo r authenticat ion. Note: You must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH se rver. Field Attributes • SSH Server St atus – Allows you to enable/disable the SSH server on the switch. (Default:[...]

  • Page 128

    Configuring the Switch 3-80 3 CLI – This example enables SSH, set s the authentication parameters, and dis plays the current configuration. It shows that the administrator has made a connection via SHH, and then disables th is connection. Configuring 802.1X Port Auth entication Network switches can provide open and easy access t o network resourc[...]

  • Page 129

    User Authentication 3-81 3 TLS (T ransport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (T unneled T ransport Layer Security). The client responds to the appropriate method wi th its credentials, such as a p assword or certif icate. The RADIUS server verifi es the client credentials an d responds with an accept or r[...]

  • Page 130

    Configuring the Switch 3-82 3 CLI – This example shows the default globa l setting for 802.1X. Configuring 802.1X Global Settin gs The 802.1X protocol provides port au thentication. The 802.1X protocol must be enabled global ly for the switch system b efore port settings are a ctive. Command Attributes • 802.1X System Auth entication Control ?[...]

  • Page 131

    User Authentication 3-83 3 Configuring Port Setting s for 802.1X When 802.1X is enabled, yo u need to configur e the paramete rs for the authenticati on process that runs between the clien t and the switch (i.e., authenticator), as well as t he client identit y lookup process that runs between the switch and authenticat ion server . These parame te[...]

  • Page 132

    Configuring the Switch 3-84 3 Web – Click Security , 80 2.1X, Port Configuration. Modify t he para meters required, and click Apply . Figure 3-52 802.1X Port Configurati on[...]

  • Page 133

    User Authentication 3-85 3 CLI – This example set s the 802.1X para meters on port 2. For a description of the additional fields displa yed in this example, see "sh ow dot1x" on p age 4-1 18. Console(config)#interface ethernet 1/2 4-155 Console(config-if)#dot1x port-control a uto 4-113 Console(config-if)#dot1x re-authenticat ion 4-115 C[...]

  • Page 134

    Configuring the Switch 3-86 3 Displaying 802.1X Statistics This switch can display st atistics for dot1x protoc ol exchanges for any port. Web – Select Security , 80 2.1X, S tatist ics. Select the required port and then click Query . Click Refresh to update the stat istics. Figure 3-53 Displayin g 802.1X Port Statistics T able 3-7 802.1X Statisti[...]

  • Page 135

    User Authentication 3-87 3 CLI – This example displays the 802. 1X statisti cs for port 4. Filtering IP Addresses for Management Access Y ou create a list of up to 16 IP addresses or IP address groups t hat are allowed management access to the switch through the web interface, SNMP , or T elnet. Command Usage • The management in terfaces are op[...]

  • Page 136

    Configuring the Switch 3-88 3 Web – Click Security , IP Filter . Enter the IP addresses or range of addresses that are allowed management access to an interface, and cl ick Add Web IP Filt ering Entry to update the fil ter list. Figure 3-54 Creating an IP Filter List CLI – This example allows SNMP access for a specific cli ent. Console(config)#[...]

  • Page 137

    General Securi ty Measures 3-89 3 General Security Measures This switch support s many methods of segregating traf fic for client s attached to each of the dat a ports, and for ensur ing that only authorize d clients gai n access to the network. Private VLANs and port-bas ed authentication using IEEE 802.1X are commonly used for these purpose s. In[...]

  • Page 138

    Configuring the Switch 3-90 3 Configuring Port Security Port security is a feature th at allows you to configure a switch port with one or more device MAC addresses that are authorized t o access the network through that port . When port security is enabled on a port, the swit ch stops learni ng new MAC addresses on the specified port whe n it has [...]

  • Page 139

    Access Control Li sts 3-91 3 Web – Click Sec urity , Port Securi ty . Set the action to t ake when an invalid address is detected on a port, mark the c heckbox in the S tatus col umn to enabl e security for a port, set the maximu m number of MAC addresses all owed on a port, and click Appl y . Figure 3-55 Configurin g Port Security CLI – This e[...]

  • Page 140

    Configuring the Switch 3-92 3 • When an ACL is bound to an interf ace as an egress filter, all entri es in the ACL must be deny rules. Otherwi se, the bind operation will f ail. • The switch does not su pport the explici t “deny any any” rule for t he egress IP ACL. If these rules are i ncluded in ACL, and you a ttempt to bind th e ACL to a[...]

  • Page 141

    Access Control Li sts 3-93 3 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or de ny rules. • Address Type – Specifies the so urce IP address. Use “Any” to inc lude all possi ble addresses, “Host” to speci f y a specific hos t address in the Address f ield, or “IP” to spe[...]

  • Page 142

    Configuring the Switch 3-94 3 Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or de ny rules. • Source/Destination Address Type – Spe cifies the source or destina tion IP address. Use “Any” to include al l possible addresses, “Host” to specify a specif ic host address in the [...]

  • Page 143

    Access Control Li sts 3-95 3 Web – S pecify the action (i.e., Permit or Deny). S pecify the source and/ or destination addre sses. Select the address type (Any , Host, or IP). If you select “Host,” enter a specific addre ss. If you select “IP ,” enter a subnet address and the mask for an address range. Set any other required crit eria, su[...]

  • Page 144

    Configuring the Switch 3-96 3 Configuring a MAC ACL Use this page to configure ACLs based on hardware addresses, p acket format, and Ethernet type. Command Attributes • Action – An ACL can contain any combination of permit or de ny rules. • Source/Destinatio n Address Ty pe – Use “Any” to include all pos sible addresses, “Host” to i[...]

  • Page 145

    Access Control Li sts 3-97 3 Web – S pecify the action (i.e., Permit or Deny). S pecify the source and/ or destination addresses. Select t he address type (Any , Host, or MAC). If yo u select “Host,” enter a spe cific address (e.g., 1 1-22- 33-44-55-66). If y ou select “MAC,” ent er a base address and a hexadecimal bi tmask for an address[...]

  • Page 146

    Configuring the Switch 3-98 3 Binding a Port to an Acce ss Control List After configuring the Access Control List s (ACL), you can bind the ports that need to filter traf fic to the appropriate ACLs. Y ou can as sign one IP access list to any port. Command Usage • Each ACL can have up to 32 rules . • This switch support s ACLs for ingres s filt[...]

  • Page 147

    Access Control Li sts 3-99 3 CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Filtering IP Addresses for Management Access Y ou can create a list of up to 16 IP add resses or IP add ress groups t hat are allowed management access to the switch through the web interface, SNMP , or T elnet. Command Usage • [...]

  • Page 148

    Configuring the Switch 3-100 3 Web – Click Security , IP Filter . Enter the IP addresses or range of addresses that are allowed management access to an interface, and cl ick Add Web IP Filt ering Entry to update the fil ter list. Figure 3-61 Creating an IP Filter List CLI – This example allows SNMP access for a specific cli ent. Console(config)[...]

  • Page 149

    Access Control Li sts 3-101 3 DHCP Snooping The addresses assigned to DHCP client s on insecure ports can be carefully controlled using the dynamic binding s registered with DHCP Snooping (or using the static bindings conf igured with IP Source Guard). DHCP snooping allows a switch to protect a network from ro gue DHCP servers or other devices whic[...]

  • Page 150

    Configuring the Switch 3-102 3 - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untru sted ports in the same VLAN. - If the DHCP snooping is globally dis abled, a[...]

  • Page 151

    Access Control Li sts 3-103 3 DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Conf iguration p age to enable or disabl e DHCP snooping on specifi c VLANs. Command Usage • When DHCP snooping is enabled gl obally on the switch, and en abled on the specified VLAN, DHCP packet filtering will be perf ormed on any untrusted ports within the[...]

  • Page 152

    Configuring the Switch 3-104 3 Command Usage • DHCP Snooping (see 3-102) must be enabled for Option 82 i nformation to be inserted into req uest packets. • When Option 82 is enabled , the requesting client (or an int ermediate relay agent that has used the i nformation fiel ds to describe itself ) can be identi fied in the DHCP request packets [...]

  • Page 153

    Access Control Li sts 3-105 3 CLI – This example enables DHCP Snooping Information Op tion, and sets the policy as replace . DHCP Snooping Port Configuration Use the DHCP Snooping Port Config uration page to configure switch port s as trusted or untruste d. Command Usage • A trusted interface i s an interface that is configured to receive only [...]

  • Page 154

    Configuring the Switch 3-106 3 Web – Click DHCP Snooping, Port Configurati on. Set any port s within the local network or firewall to truste d, and click Apply . Figure 3-65 DHCP Snooping Port Configuration CLI – This examp le shows how to enabl e the DHCP Sn ooping T rust S tatus for port s . DHCP Snooping Binding Information Binding tabl e en[...]

  • Page 155

    Access Control Li sts 3-107 3 • IP Address Type – Indicates an IPv4 addres s type. • Lease Time (Seconds) – The time f or which this IP address is le ased to the client. Web – Click DHCP Snoopin g, DHCP Snooping Binding Information. Figure 3-66 DHCP Snooping Bi nding Informat ion CLI – This example shows how to displa y the DHCP Snoopin[...]

  • Page 156

    Configuring the Switch 3-108 3 Command Usage • Setting source guard mode to SIP (Source IP) or SIP-MAC (So urce IP and MAC) enables this funct ion on the selected port. Use the SIP option to check the VL AN ID, source IP address, and port number agai nst all entries in the bindi ng table. Use the SIP-MAC option to check these same parameters, p l[...]

  • Page 157

    Access Control Li sts 3-109 3 Web – Click IP Source Guard, Port Configurat ion. Set the require d filtering type for each port and click Apply . Figure 3-67 IP Source Guard Port Configuration CLI – This example shows how to enable IP source gua rd on port 5 to check the source IP address for ingress p ackets again st the binding table . Configu[...]

  • Page 158

    Configuring the Switch 3-110 3 - If there is an entry with t he same VLAN ID and MAC add ress, and the typ e of the entry is dynamic DHCP snoopi ng binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard bin ding. Command Attributes • Static Binding Table Counts – The total number of st [...]

  • Page 159

    Access Control Li sts 3-111 3 Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Informatio n page to display the source-guard binding t able for a selected int erface. Command Attributes • Query by – Select an in terface to display the sou rce-guard binding. (Opt ions: Port, VLAN, MAC Address, or IP Address) • Dynami[...]

  • Page 160

    Configuring the Switch 3-112 3 Port Configuration Displaying Connection Status Y ou can use the Port Info rmation or T runk Information p ages to display the cu rrent connection st atus, including link state , speed/duplex mode , flow control, and auto-negot iation. Field Attributes (Web) • Name – Interface labe l. • Type – Indicates the po[...]

  • Page 161

    Port Configuration 3-113 3 Configuration: • Name – Interfac e label. • Port admin – Shows if the interface is enabled or disabled (i. e., up or down). • Speed-duplex – Shows the current speed and duplex mode. (Auto, or fixed choice) • Capabilities – Specifies the capabilities to be adve rtised for a port during auto-negotia tion. (T[...]

  • Page 162

    Configuring the Switch 3-114 3 CLI – This example shows the connection status for Port 5. Configuring Interface Connections Y ou can use the Port Configuration or T runk Configuratio n page to ena ble/disable an interface, set aut o-negotiation and the interface cap abilities to advertise, or manua lly fix the speed, duplex mode, and flow control[...]

  • Page 163

    Port Configuration 3-115 3 problem has been resolved. Yo u may also disable an interface for security reasons. • Speed/Duplex – Al lows you to manual ly set the port speed and dup lex mode. (i.e., with auto-negot iation disabled) • Flow Control – Allows automatic or manual selection of fl ow control. • Autonegotiation (Port Capabili ties)[...]

  • Page 164

    Configuring the Switch 3-116 3 CLI – Select the interface, an d then enter the required setting s. Creating Trunk Groups Y ou can create multiple links between devices tha t work as one virtual, aggrega te link. A port trun k offe rs a dramatic increase in bandwid th for network se gments where bottlenecks exist , as well as providing a fault -to[...]

  • Page 165

    Port Configuration 3-117 3 • The ports at both ends of a trunk must be configured in an identic al manner, including communi cation mode (i.e ., speed, dupl ex mode and flow con trol), VLAN assignments, and Co S settings. • Any of the Gigabit ports on the fro nt panel can be trunked toge ther, includin g ports of different me dia types. • All[...]

  • Page 166

    Configuring the Switch 3-118 3 CLI – This example creates trunk 2 wi th ports 1 and 2. Just connect these port s to two stati c trunk port s on another switch to form a trunk. Enabling LACP on Selected Port s Command Usage • To avoid creat ing a loop i n the network, b e sure you enable LACP b efore connecting the ports, and also disconnec t th[...]

  • Page 167

    Port Configuration 3-119 3 Command Attributes • Member List ( Current ) – Shows configured trunks (Port) . • New – Includes entry fields for creating n ew trunks. - Port – Port identifier. (Range: 1-26/50) Web – Click Port, L ACP , Configuration. Select any of the swi tch ports from the scroll-down port list and cl ick Add. After you ha[...]

  • Page 168

    Configuring the Switch 3-120 3 CLI – The followi ng example enab les LACP for port s 1 to 6. Just connect these ports to LACP-enabled trunk port s on another switch to form a trunk. Configuring Parameters for LACP Group Members Dynamically Creating a Port Channel – Ports assig ned to a common port channel must meet the f ollowing crit eria: •[...]

  • Page 169

    Port Configuration 3-121 3 - System priority is combined with the swit ch’s MAC address to form the LAG identifier. This ident ifier is used to indic ate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-655 35; D[...]

  • Page 170

    Configuring the Switch 3-122 3 CLI – The following example configures LACP p arameters for ports 1-4. Ports 1-4 are used as active members of the LAG . Displaying LACP Port Counters Y ou can display statistics for LACP protoc ol messages. Console(config)#interface ethernet 1/1 4-155 Console(config-if)#lacp actor system-pr iority 3 4-170 Console(c[...]

  • Page 171

    Port Configuration 3-123 3 Web – Click Port, LACP , Port Counters Information. Sel ect a member port to display the corresponding info rmation. Figure 3-75 LACP - Port Counte rs Information CLI – The following example displ ays LACP counters. Marker Unknown Pkts Number of frames receiv ed that either (1) Carry the Slow Protocols Ethernet T ype [...]

  • Page 172

    Configuring the Switch 3-124 3 Displaying LACP Settings and Status for the Local Side Y ou can display configuration settings and the operational st ate for the local sid e of an link aggrega tion. T able 3-9 LACP Internal Configuration Infor mation Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key [...]

  • Page 173

    Port Configuration 3-125 3 Web – Click Port, LACP , Port Internal Information. Select a port channel to di splay the corresponding info rmation. Figure 3-76 LACP - Port Internal I nformation CLI – The following example displ ays the LACP configuration set tings and operational st ate for the local side of port channel 1. Console#show lacp 1 int[...]

  • Page 174

    Configuring the Switch 3-126 3 Displaying LACP Set tings an d Status for the Remote Side Y ou can display configuration settings and the op erational st ate for the remote side of an link aggregat ion. Web – Click Port, LACP , Port Neighbors Informati on. Select a port channel to display the corresponding in formation. Figure 3-77 LACP - Port Ne [...]

  • Page 175

    Port Configuration 3-127 3 CLI – The following example displ ays the LACP configuration set tings and operational st ate for the remote side of port channel 1. Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is ma lfunctioning, or if application programs are no t well designed or properly configured. If[...]

  • Page 176

    Configuring the Switch 3-128 3 Web – Click Port, Port/T runk Broadcast Control. Set the threshold, mark the Enabled field for the desired i nterface and click Apply . Figure 3-78 Port Broadcast Control Configuring Local Port Mirrori ng Y ou can mirror traffic from any source port to a target port for real-time analy sis. Y ou can the n attach a l[...]

  • Page 177

    Port Configuration 3-129 3 Web – Click Port, Mirror Port Configuration. S pecify the source port, the traffi c type to be mirrored, and the monitor port , then click Add. Figure 3-79 Mirror Port Conf iguration CLI – Use the interface co mmand to sele ct the monito r port, then use the p ort monitor command to specify the source port and traff i[...]

  • Page 178

    Configuring the Switch 3-130 3 Web – Click Port, Rate Limit, Input/Output Port/T runk Configura tion. Enable the Rate Limit S tatus for the required i nterfaces, then set th e rate limit for the i ndividual interfaces, and cli ck Apply . Figure 3-80 Input Rate Li mit Port Conf iguration CLI - This example sets the rat e limit level for i nput tra[...]

  • Page 179

    Port Configuration 3-131 3 Received Multicast Packets The number of packets, de livered by this sub-layer to a higher (sub-)layer , which were address ed to a multic ast address at this sub-layer . Received Broadcast Packets The number of packets, de livered by this sub-layer to a higher (sub-)layer , which were addressed to a broadcast addres s at[...]

  • Page 180

    Configuring the Switch 3-132 3 Multiple Collision Frames A count of successf ully transmitted fr ames for which tr ansmission is inhibited by more than one collision. Carrier Sense Errors The number of times that the carrier sense condit ion was lost or never asserted when attempting to transmit a frame. SQE T est Errors A count of times that the S[...]

  • Page 181

    Port Configuration 3-133 3 Web – Click Port, Port S tatistics. Select the required i nterface, and cli ck Query . Y ou can also use the Refresh butt on at the bottom of the p age to update the screen. 64 Bytes Frames The total number of frames (inclu ding bad packets) received and transmitted that were 64 octets in lengt h (excluding framing bits[...]

  • Page 182

    Configuring the Switch 3-134 3 Figure 3-81 Port Statistics CLI – This example shows stat istics for port 13. Power Over Ethernet Settings The switch can provide DC power to a wi de range of conn ected devices, elimin ating the need for an additio nal power source and cut ting down on the amount of cables attache d to each d evice. Once conf igure[...]

  • Page 183

    Power Over Ethernet Settings 3-135 3 power , if necessary by dropping power to ports set for a lower priority . If power is dropped to some low-priority port s and later the power demands on the switch fall back within it s budget, the dropped power is automatically restored. Switch Power Status Displays the Power over Ethernet p arameters for the [...]

  • Page 184

    Configuring the Switch 3-136 3 Setting a Switch Power Budget A maximum PoE power budget for th e switch (power avail able to all switch port s) can be defined so that power can be centra lly managed, prevent ing overload conditions at the power source. If the power demand from devices connected to the switch exceeds t he power budget setti ng, the [...]

  • Page 185

    Power Over Ethernet Settings 3-137 3 re-enabled when the overl oad condition is no longer det ected on the port. (Default: Disabled) Web – Click PoE, Power Port S tatus. Figure 3-84 Displaying Port PoE Statu s CLI – This example displays the PoE st atus and priority of port 1. Configuring Port PoE Power If a device is connecte d to a switch por[...]

  • Page 186

    Configuring the Switch 3-138 3 • If a device is connecte d to a critical or high-pri ority port and causes the switch to exceed its budget, port power is turned on, but the switch drops power to one or more lower-priority ports. Note: Power is dropped from low-priority port s in sequence starting from port number 1 . Command Attributes • Port ?[...]

  • Page 187

    Address T able Settings 3-139 3 Address Table Settings Switches store th e addresses for all known devices. Thi s information is u sed to pass traff ic directly between the inboun d and outbound port s. All the addresses learned by monitoring traf fic are stored in the dynamic address t able. Y ou can also manually configure st atic addresses that [...]

  • Page 188

    Configuring the Switch 3-140 3 Displaying the Address Table The Dynamic Address T able contains the MAC addresses l earned by monitoring t he source address for traf fic entering the switch. When the destination addres s for inbound traf fic is found in the database, th e packet s intended for that addre ss are forwarded directl y to the associ ate[...]

  • Page 189

    Address T able Settings 3-141 3 CLI – This example also displa ys the address tabl e entries for port 1. Changing the Aging Time Y ou can set the aging time for entries in the dynami c address t able. Command Attributes • Aging Status – Enables/disables the funct ion. • Aging Time – The time after which a learned entry is di scarded. (Ran[...]

  • Page 190

    Configuring the Switch 3-142 3 Spanning Tree Algorithm Configuration The S panning T ree Algorithm (ST A) can be used to detect and disa ble network loops, a nd to provide backup links between switches, bridges or routers. Thi s allows the switch to interact wi th other bridging device s (that is, an ST A-compli ant switch, bridge or router) in you[...]

  • Page 191

    Spanning Tree Algorithm Configuration 3-143 3 MSTP – MSTP When using STP or RSTP , it may be difficult to maint ain a st able path bet ween all VLAN memb ers. Frequent ch anges in the tree struct ure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent sp anning trees [...]

  • Page 192

    Configuring the Switch 3-144 3 Once you specify the VLANs to i nclude in a Multiple S panning T ree Instance (MSTI), the protocol wil l automatically bui ld an MSTI tree to maint ain connectivity among each of the VLANs. MSTP maint ains contact with the globa l network because each instance is treated a s an RSTP node in the Common S panning T ree [...]

  • Page 193

    Spanning Tree Algorithm Configuration 3-145 3 These additional p arameters are only displayed for the CLI: • Spanning tr ee mode – Speci fies the type of spanni ng tree used on this switch: - STP : Spanning Tree Protocol (IEEE 802.1 D) - RSTP : Rapid Spanning Tree (IEEE 802.1w) - MSTP : Multiple Spanni ng Tree (IEEE 802.1s) • Instanc e – In[...]

  • Page 194

    Configuring the Switch 3-146 3 Web – Click S panni ng T ree, ST A, Informatio n. Figure 3-89 Displaying Spa nning Tree Informati on CLI – This command displays global ST A settings, followed by settings for each port . Note: The current root port and current root cost display as zero when this device is not connected to the network. Console#sho[...]

  • Page 195

    Spanning Tree Algorithm Configuration 3-147 3 Configuring Global Settings for STA Global setti ngs apply to the entire s witch. Command Usage • Spanning Tree Protoco l 9 Uses RSTP for the internal stat e machine, but sends only 802. 1D BPDUs. This creates one spanning tree i nstance for the entire net work. If multiple VLANs are implemented on a [...]

  • Page 196

    Configuring the Switch 3-148 3 • Priority – Bridge priority is used in selectin g the root device, root port, and designated port. The device with th e highest priority becomes the STA root device. However, if all d evices have the same pr iority, the devic e with the lowest MAC address will then become the root device. (Note that lower numeric[...]

  • Page 197

    Spanning Tree Algorithm Configuration 3-149 3 • Transmission Limit – The maximu m transmission rate for BPDUs is speci fied by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Setti ngs for MSTP • Max Instan ce Number s – The maximum number of MSTP instances to w[...]

  • Page 198

    Configuring the Switch 3-150 3 Web – Click S panni ng T ree, ST A, Configuratio n. Modify the required attributes, and click Apply . Figure 3-90 Config uring Spanning Tree[...]

  • Page 199

    Spanning Tree Algorithm Configuration 3-151 3 CLI – This example enables S pann ing T ree Protocol, sets the mode to RSTP , and then configures the ST A and RSTP p a rameters. Displaying Interface Settings for STA The ST A Port Information and ST A Trunk I nformation p ages display the curren t status of ports and trunks i n the S panning T ree. [...]

  • Page 200

    Configuring the Switch 3-152 3 • Designated Port – The port priority and number of the po rt on the designated bridging device through which t his switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contri bution of this port to the path cost of paths towards the spanning tree root which i nclude this p ort. ?[...]

  • Page 201

    Spanning Tree Algorithm Configuration 3-153 3 These additional p arameters are only displayed for the CLI: • Admin Status – Shows if this interfac e is enabled. • External Admin Path Cost – The path cost for the IST. This parameter is use d by the STA to determine the best pat h between devices. Theref ore, lower values should be assigne d [...]

  • Page 202

    Configuring the Switch 3-154 3 CLI – This example shows the ST A attributes for port 5. Configuring Interface Settings for STA Y ou can configure RSTP and MSTP attributes for specific inte rfaces, includi ng port priority , p ath cost, link type, and edge port. Y ou may use a different priority or p ath cost for port s of the same media type to i[...]

  • Page 203

    Spanning Tree Algorithm Configuration 3-155 3 The following interfa ce attributes can be configured : • Spanning Tr ee – Enables/dis ables STA on this inte rface. (Default : Enabled). • Priority – Defines the priority used for this port i n the Spanning Tree Protocol. If the path cost for all ports on a switch a re the same, the p ort with [...]

  • Page 204

    Configuring the Switch 3-156 3 • Admin Link Type – The link type attached to this interface . - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines i f the interface is attache d to a point-to-point link or to s hared media. (This is the de[...]

  • Page 205

    Spanning Tree Algorithm Configuration 3-157 3 Web – Click S panni ng T ree, ST A, Port Configuration or T runk Configuration. Modify the required attributes, then click Apply . Figure 3-92 Configuri ng Spanning Tree per Port CLI – This example sets ST A attributes for port 7. Console(config)#interface ethernet 1/7 4-155 Console(config-if)#spann[...]

  • Page 206

    Configuring the Switch 3-158 3 Configuring Multiple Spanning Trees MSTP generates a unique sp anning tree for each inst ance. This provides multiple path ways across the network , thereby balancin g the traf fic load, preventi ng wide-scale disrupt ion when a bridge node in a si ngle instance fail s, and allowing for faster convergence of a new top[...]

  • Page 207

    Spanning Tree Algorithm Configuration 3-159 3 Web – Click S panning T ree, MSTP , VLAN Configuration. Select an ins tance identifier from the li st, set the instance priority , and click Apply . T o add the VLAN members to an MSTI inst ance, enter the inst ance identifier , the VLAN identifier , and click Add. Figure 3-93 Config uring Multiple Sp[...]

  • Page 208

    Configuring the Switch 3-160 3 CLI – This displa ys ST A setting s for inst ance 1, followed by setti ngs for each port. Console#show spanning-tree mst 1 4-213 Spanning-tree information ------------------------------------------ --------------------- Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 1 VLANs Configuration:[...]

  • Page 209

    Spanning Tree Algorithm Configuration 3-161 3 Displaying Interface Settings for MSTP The MSTP Port Informati on and MSTP T runk Info rmation pag es display the current status of ports and trunks i n the selecte d MST instance. Command Attributes • MST Instance ID – Instance i dentifier to config ure. (Defaul t: 0) The other attributes are descr[...]

  • Page 210

    Configuring the Switch 3-162 3 CLI – This displays ST A sett ings for insta nce 0, followed by settings fo r each port. The settings for inst ance 0 are global sett ings that apply to the IST , the settings for other inst ances only apply to the local span ning tree. Console#show spanning-tree mst 0 4-213 Spanning Tree Information ---------------[...]

  • Page 211

    Spanning Tree Algorithm Configuration 3-163 3 Configuring Interface Settings for MSTP Y ou can configure the ST A interface settings for an MST Inst ance using the MSTP Port Configuration and MSTP T runk Configuration page s. Field Attributes The following a ttributes are read-only and cann ot be changed: • STA State – Displays current state of[...]

  • Page 212

    Configuring the Switch 3-164 3 Web – Click S panning T ree, MSTP , Port Configuration or T runk Configuration. Enter the priority and p ath cost for an inte rface, and click App ly . Figure 3-95 Displ aying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. VLAN Configuration IEEE 802.1Q VLANs In large networks, rou[...]

  • Page 213

    VLAN Configuration 3-165 3 This switch support s the following VL AN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN lea r ning across multi ple switches using explicit or impli cit tagging and GVRP protocol • Port overlappin g, allowing a port to part icipate in multip le VLANs • End stations can bel ong to[...]

  • Page 214

    Configuring the Switch 3-166 3 Unt agged VLANs – Untagged (or stati c) VLANs are typically used to reduce broadcast traf fic and to increase security . A group of network users assi gned to a VLAN form a broadcast domain that is sep arate from other VLANs configured on the switch. Packet s are forwarded only between p orts that are designated for[...]

  • Page 215

    VLAN Configuration 3-167 3 Forwarding T agged/Unt agged Frames If you want to create a smal l port-based VLAN for devices attached di rectly to a single switch, you can ass ign ports to the same untagged VLAN. Ho wever , to particip ate in a VLAN group that crosses several switches, you sho uld create a VLAN for that group and enable t agging on al[...]

  • Page 216

    Configuring the Switch 3-168 3 Displaying Basic VLAN Information The VLAN Basic Inf ormation p age displays basic informat ion on the VL AN type supported by the switch. Field Attributes • VLAN Versio n Number 12 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized b[...]

  • Page 217

    VLAN Configuration 3-169 3 Displaying Current VLANs The VLAN Current T able shows the current port members of each VLAN and whether or not the port supports VLAN taggin g. Ports as signed to a l a rge VLAN group that crosses several switches sh ould use VLAN tagging . However , if you just want to create a small port -based VLAN for one or two swit[...]

  • Page 218

    Configuring the Switch 3-170 3 • Name – Name of the VLAN (1 to 32 charac ters). • Status – Shows if this VLAN is enabled or disabl ed. - Active : VLAN is opera t ional. - Suspend : VLAN is suspe nded; i.e., does not pass pack ets. • Ports / Channel gr oups – Shows the VLAN interf ace members. CLI – Current VLAN information can be di s[...]

  • Page 219

    VLAN Configuration 3-171 3 Web – Click VLAN, 80 2.1Q VLAN, S tatic List. T o create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activa te the VLAN, and then click Add. Figure 3-99 Config uring a VLAN Static List[...]

  • Page 220

    Configuring the Switch 3-172 3 CLI – This example creates a new VLAN. Console(config)#vlan database 4-220 Console(config-vlan)#vlan 2 name R&D media ethernet state active 4-221 Console(config-vlan)#end Console#show vlan Default VLAN ID : 1 VLAN ID: 1 Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1[...]

  • Page 221

    VLAN Configuration 3-173 3 Adding Static Members to VLANs (VLAN Index) Use the VLAN S tatic T able to configure port members fo r the selected VLAN ind ex. Assign ports a s tagged i f they are connected to 802.1Q VLAN compliant devices, or untagged t hey are not connected to any VLAN-aware device s. Or configure a port as forbidden to prevent t he [...]

  • Page 222

    Configuring the Switch 3-174 3 Web – Click VLAN, 80 2.1Q VLAN, S tatic T able. Select a VLAN ID from the scroll-down list . Modify the VLAN name and status if re quired. Select the membership type by marking the ap propriate radio button in the list of ports or trunks. Click Apply . Figure 3-100 Configuring a VLAN Static Table CLI – The followi[...]

  • Page 223

    VLAN Configuration 3-175 3 Adding Static Members to VLANs (Port Index) Use the VLAN S tatic Membership by Port menu to assign VLAN groups to the selected interfa ce as a tagged member . Command Attributes • Interface – Port or trunk identif ier. • Member – VLANs for which the select ed interface is a tag ged member. • Non-Member – VLANs[...]

  • Page 224

    Configuring the Switch 3-176 3 Configuring VLAN Behavior for Interfaces Y ou can configure VLAN behavior for speci fic interface s, including the d efault VLAN identifier (PVID), acce pted frame types, in gress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a wa y for switches to exchange[...]

  • Page 225

    VLAN Configuration 3-177 3 • GARP Leave Timer 13 – The inte rval a port wai ts before leav ing a VLAN group. This time shoul d be set to more tha n twice the join ti me. This ensures that afte r a Leave or LeaveAll message has be en issued, the appli cants can rejoin before the port actually leave s the group. (Range: 60-3000 centi seconds; Def[...]

  • Page 226

    Configuring the Switch 3-178 3 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q T unneling (QinQ) is designed for service providers carrying tra ffic fo r multiple custome rs across their netwo rks. QinQ tunneling is used to maintai n customer-specific VL AN and Layer 2 protocol configurat ions even when dif ferent customers use th e same interna l VL[...]

  • Page 227

    VLAN Configuration 3-179 3 customer’s network. The packet is sent as a normal IEEE 802.1Q-t agged frame, preserving the o riginal VLAN numb ers used in the customer’s network. Layer 2 Flow for Packets Coming into a T unnel Access Port A QinQ tunnel port may recei ve either tagge d or untagged p ackets. No matter how many tags the i ncoming pac [...]

  • Page 228

    Configuring the Switch 3-180 3 Layer 2 Flow for Packets Coming into a T unnel Uplink Port An uplink port receives one of th e following pa ckets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and desti nation lookup s. If both lookup s are successful, the in gress process writes the pa ck[...]

  • Page 229

    VLAN Configuration 3-181 3 • Static trunk port groups are compatible with QinQ tunn el ports as lon g as the QinQ configurati on is consistent with in a trunk port group. • The native VL AN (VLAN 1) is not n ormally added to t ransmitted frames. Avoiding using VLAN 1 as an SPVLAN tag for customer traff ic to reduce the risk of misconfiguratio n[...]

  • Page 230

    Configuring the Switch 3-182 3 incoming frames conta ining that etherty pe are assigned to the VLAN contai ned in the tag followin g the ethertype fiel d, as they would be with a standard 802.1Q trunk . Frames arriving on the port contain ing any other ethertype are look ed upon as untagged fr ames, and assigne d to the nat ive VLAN of tha t port. [...]

  • Page 231

    VLAN Configuration 3-183 3 the attached clie nt is using a nonstandard 2-byt e ethertype to identify 802 .1Q tagged frames (se e "Displaying Basi c VLAN Information" on page 3-168 ). Command Attributes Mode – Set the VLAN membership mode of the port . (Default: Normal) • None – The port operates in its normal VLAN mode. (This is the[...]

  • Page 232

    Configuring the Switch 3-184 3 Configuring Private VLANs Private VLANs provide port-based securi ty and isolation between port s within the assigned VLAN. Dat a traffic on downlink port s can only be forwarded to, and from, uplink port s. (Note that private VLANs and normal VLANs can exist simul taneousl y within the same switch.) Enabling Private [...]

  • Page 233

    VLAN Configuration 3-185 3 Configuring Uplink and Downlink Ports Use the Private VLAN Link S tatus p age to set ports as do wnlink or uplink port s. Ports designated as downlink port s can not communicate wit h any other ports on t he switch except for the up link ports. Upli nk ports can co mmunicate with any other port s on the switch and with an[...]

  • Page 234

    Configuring the Switch 3-186 3 Command Usage T o configure pro tocol-based VLANs, follow these steps: 1. First configure VLAN group s for the protocols you want to u se (3-170). Although not mandatory , we s uggest configuring a sepa rate VLAN for ea ch major protocol running on your network. Do not add port members at this time. 2. Create a protoc[...]

  • Page 235

    VLAN Configuration 3-187 3 CLI – This example creates protocol group 1 for Ethernet frames using the IP protocol, and group 2 for Ethernet frames using the ARP protocol. Mapping Protocols to VLAN s Use the Protocol VLAN Port Configurati on menu to map a Protocol VLAN Group to a VLAN. Map a protocol group to a VLAN for each interface that will p a[...]

  • Page 236

    Configuring the Switch 3-188 3 Web – Click VLAN, Proto col VLAN, Port Configurat ion. Figure 3-108 Protocol VLAN Port Conf iguration CLI – The following maps the traffic ent ering Port 1 which match es the protocol type specified in protocol grou p 2 to VLAN 2. Console(config)#interface ethernet 1/1 4-155 Console(config-if)#protocol-vlan protoc[...]

  • Page 237

    Class of Service Conf iguration 3-189 3 Class of Service Configuration Class of Service (CoS) al lows you to spe cify which dat a packets have greater precedence when traf fic is buffered in th e switch due to conges tion. This swit ch supports Co S with four priorit y queues for each port. Dat a packets in a port’ s high-priority queu e will be [...]

  • Page 238

    Configuring the Switch 3-190 3 Command Attributes • Default Priority 14 – The priority that is assigned to untagge d frames received on the specified int erface. (Range: 0-7; Defa ult: 0) • Number of Egress Traffic Classes – The number of queue buffe rs provided for each port. Web – Click Priority , Default Port Priority or Default T runk[...]

  • Page 239

    Class of Service Conf iguration 3-191 3 Mapping CoS Values to Egress Que ues This switch processe s Class of Service (CoS) priority t agged traffic by u sing four priority queues for each port, wit h service schedules based on strict or W eighted Round Robin (WRR). Up to ei ght separate traf fic priorities are defined in IEEE 802.1p. The default pr[...]

  • Page 240

    Configuring the Switch 3-192 3 Web – Cli ck Priority , T raffic Classes. Sele ct a port or trunk for t he current mapping of CoS values to out put queues to be display ed. Assign priorities to th e traf fic classes (i.e., output queues), then click Apply . Figure 3-110 Traffic Classes CLI – The following example shows ho w to change the CoS ass[...]

  • Page 241

    Class of Service Conf iguration 3-193 3 Selecting the Queue Mode Y ou can set the switch to service the queues based on a strict rul e that requires all traff ic in a high er priority queue to be processe d before lower priori ty queues a re serviced, or use W eighted Round-Robin (WRR) queuing that specifies a relat ive weight of eac h queue. Comma[...]

  • Page 242

    Configuring the Switch 3-194 3 Setting the Service Weig ht for Traffic Classes This switch uses the We ighted Round Robin (WRR) algorithm t o determine the frequency at which it servi ces each priority queue. As described in "Mapping CoS V alues to Eg ress Queues" on page 3-1 91, the traf fic classes are mapped t o one of the four egress [...]

  • Page 243

    Class of Service Conf iguration 3-195 3 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traf fic to meet application requi rements. T raffic priorit ies can be specified in the IP head er of a frame, using the priority bi ts in the T ype of Service (T oS) o[...]

  • Page 244

    Configuring the Switch 3-196 3 Mapping IP Precedence The T ype of Service (T oS) octet in the IPv4 header includes th ree precedence bit s defining eight di ffer ent priority levels rangi ng from highest prio rity for network control packet s to lowest priority for routine traffi c. The default IP Precedence val ues are mapped one-to-one to Class o[...]

  • Page 245

    Class of Service Conf iguration 3-197 3 CLI – The f ollowing exa mple globally enables IP Precedence service on the switch , maps IP Precedence value 1 to CoS value 0 (on port 1), an d then display s the IP Precedence settings. Note: Mapping specific values for IP Prec edence is implemented as an interface configuration command, but any changes w[...]

  • Page 246

    Configuring the Switch 3-198 3 Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS v alue to the selected DSCP Pri ority value. Note that “0” represents lo w priority and “7” represent hi gh priority. Note: IP DSCP settings apply to all interfaces. Web – Click Priori[...]

  • Page 247

    Class of Service Conf iguration 3-199 3 Mapping IP Port Priority Y ou can also map network applications to Class of Se rvice values based on the I P port number (i.e., TCP/UDP port numbe r) in the frame header . Some of the more common TCP service port s include: HTTP: 80, FTP: 21, T elnet: 23 and POP3: 1 10. Command Attributes • IP Port Priority[...]

  • Page 248

    Configuring the Switch 3-200 3 CLI * – The foll owing example gl obally enables IP Port Priority service on the switch, maps HTTP traf fic on port 5 to CoS value 0, and then di splays all the IP Port Pri ority settings for t hat port. * Mapping specific values for IP Port Priority is implemented as an interface configuration command, but any chan[...]

  • Page 249

    Quality of Service 3-201 3 Configuring Quality of Service Parameters T o create a service policy for a speci fic category or ingress traf fic, follow these steps: 1. Use the “Class Map” to designa te a class name for a specific category of traffic . 2. Edit the rules for each class t o specify a type of traf fic based on an access list, a DSCP [...]

  • Page 250

    Configuring the Switch 3-202 3 Class Con figurat ion • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per cl ass map, so the match-any field refers to the criteri a specified by the lone match command . • Description – A brief description of a cla ss map. (Range: 1-64 characters[...]

  • Page 251

    Quality of Service 3-203 3 Web – Click QoS, Diff Serv , then click Add Class to create a new class, or Edit Rules to change the rules of an exi sting class. Figure 3-118 Configuri ng Class Maps CLI - This example creates a class map call “rd-cl ass,” and sets it to match packet s marked for DSCP service value 3. Console(config)#class-map rd_c[...]

  • Page 252

    Configuring the Switch 3-204 3 Creating QoS Poli cies This function creates a pol icy map that can be att ached to multiple int erfaces. Command Usage • To configure a Policy Map, foll ow these steps: - Create a Class Map as described on 3-201. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page op ens, fill in [...]

  • Page 253

    Quality of Service 3-205 3 Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provi ded to ingress traf fic by setting a CoS, DSCP , or IP Precedence value i n a matching packet (as specifi ed in Match Cla ss Settings on 3-201). • Meter – The maximum throug hput and burst rate. - Rate [...]

  • Page 254

    Configuring the Switch 3-206 3 Web – Click QoS, DiffServ , Policy Map to displ ay the list of existing poli cy maps. T o add a new pol icy map clic k Add Policy . T o configure the policy rul e settings cli ck Edit Classes. Figure 3-119 Configuring Policy Maps[...]

  • Page 255

    Quality of Service 3-207 3 CLI – This example creates a policy map call ed “rd-policy ,” set s the average bandwidth the 1 Mbps, the burst rate to 1522 bp s, and the response to redu ce the DSCP value for vio lating p ackets t o 0. Attaching a Policy Map to Ingress Queu es This function binds a pol icy map to the ingress queu e of a particula[...]

  • Page 256

    Configuring the Switch 3-208 3 CLI - This example applies a serv ice policy to an ingress interface. Multicast Filtering Multicasting i s used to support real-t ime applications such as vide oconferencing or streaming audio. A mul ticast server does not have to est ablish a sep arate connection with each client. I t merely br oadcasts its se rvice [...]

  • Page 257

    Multicast Filtering 3-209 3 Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If mul ticast routing is not supported on other switches in your network, you can use IGMP Snoopi ng and Query (3-210) to monitor IGMP service request s passing between multicast clien ts and servers, and dyna mically configure the switch port s which need to [...]

  • Page 258

    Configuring the Switch 3-210 3 Configuring IGMP Sn ooping and Query P a rameters Y ou can configure the switch to forward multicast traf fic intelligent ly . Based on the IGMP query and report messages, th e switch forwards traf fic only to the ports that request multicast tr affic. Thi s prevents the swit ch from broadcasting the tr affic to all p[...]

  • Page 259

    Multicast Filtering 3-211 3 • Act as IGMP Querier — When enab led, the switch can serve as the Queri er, which is responsible for aski ng hosts if they want t o receive multic ast traffic. This feature is not supporte d for IGMPv3 snooping. (Default: Enabled) • IGMP Leave Proxy Status — Suppresses leave mess ages unless received fr om the l[...]

  • Page 260

    Configuring the Switch 3-212 3 CLI – This exampl e modifies the se ttings for mult icast filt ering, and then di splays the current st atus. Enabling IGMP Immediate Leave The switch can be configured to imme diately delete a member port of a mult icast service if a leave p acket is received at that port and the immediate-leave funct ion is enable[...]

  • Page 261

    Multicast Filtering 3-213 3 Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Sets the status for immedia t e leave on the specifi ed VLAN. (Default: Disabl ed) Web – Click IG MP Snooping, IGMP Immediate Lea ve. Select the VLAN interface to configure, set the st atus for i mmediate leave, and click App ly [...]

  • Page 262

    Configuring the Switch 3-214 3 Displaying Interfaces Attached to a Multicast Router Multicast routers th at are attached to ports on the switch use information obt ained from IGMP , along with a multicast routing protoco l such as DVMRP or PIM, to support IP multicasti ng across the Internet. These rout ers may be dynamically discovered by the swit[...]

  • Page 263

    Multicast Filtering 3-215 3 Specifying Static Interfaces for a Multicast Router Depending on your ne twork connection s, IGMP snooping may n ot always b e able to locate the IGMP qu erier . Therefore, if t he IGMP querier is a known multicast router/ switch connected over the ne twork to an in terfac e (port or trunk) on your swi tch, you can manua[...]

  • Page 264

    Configuring the Switch 3-216 3 Displaying Port Members of Multicast Se rvices Y ou can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) • Multicast IP Address – The IP address for a speci fic multicast service. [...]

  • Page 265

    Multicast Filtering 3-217 3 Assigning Ports to Multicast Services Multicast f iltering can be dynamical ly configure d using IGMP Snooping an d IGMP Query messages as described in "Conf iguring IGMP Snooping and Query Parameters" on page 3-210. For cert ain application s that require tighter co ntrol, you may need to st atically configure[...]

  • Page 266

    Configuring the Switch 3-218 3 CLI – This example assigns a multic ast address to VLAN 1, and the n displays all the known multicast services s upported on VLAN 1. IGMP Filtering and Throttling In cert ain switch appl ications, the a dministrator may want to control the multicast services that are avai lable to end users. Fo r example, an IP/TV s[...]

  • Page 267

    Multicast Filtering 3-219 3 Web – Click IGMP Snoop ing, IGMP Filter Con f iguration. Create a profile nu mber by entering the numb er in text box and clickin g Add. Enable the IGMP filter st atus, then click Apply . Figure 3-127 Enabling IGMP Fil tering and Throttling CLI – This exampl e enables IG MP filtering and creates a pro file number , t[...]

  • Page 268

    Configuring the Switch 3-220 3 • Access Mode – Sets the access mode of the profile; eith er permit or deny. (Default: Deny) • New Multicast Address Range List – Specifi es multicast gro ups to include i n the profile. Specify a mult icast group range by ente ring a start and end IP address . Specify a single multicast group by ent erin g th[...]

  • Page 269

    Multicast Filtering 3-221 3 CLI – This exampl e configures prof ile number 19 b y setting the access mode t o “permit” and t hen specifying a range of mul ticast group s that a u ser can join. The current profile con figuration is then di splayed. Configuring IGMP Filt ering and Throttli ng for Interfaces Once you have conf igured IGMP profil[...]

  • Page 270

    Configuring the Switch 3-222 3 Web – Click IGMP Snooping, IGMP Filter/T hrot tling Port Co nfigurati on or IGMP Filter/Throttl ing T runk Configuration. Select a profile to ass ign to an interface, th en set the throttli ng number and action. Click Ap ply . Figure 3-129 IGMP Filter and Throttl ing Port Configuration CLI – This example assigns I[...]

  • Page 271

    Multicast Filtering 3-223 3 Multicast VLAN Registration Multicast VLAN Regis tration (MVR) is a protocol that controls access to a singl e network-wide VLAN most commonly used for transmit ting multicast tr affic (such as television c hannels or video-on -demand) across a service pro vider ’s network. Any multicast traf fic entering an MVR VLAN i[...]

  • Page 272

    Configuring the Switch 3-224 3 Configuring Glob al MVR Settings The global settings for Mult icast VLAN Registratio n (MVR) include enabling or disabling MVR for the switch , selecting the VLAN tha t will serve as the sole channe l for common multicast st reams supported by the serv ice provider , and assigning t he multicast group address for each[...]

  • Page 273

    Multicast Filtering 3-225 3 Web – Click MVR, Con f iguration. Enabl e MVR global ly on the swit ch, select the MVR VLAN, add the multicast groups that will stream traf fic to attached hosts, and then click Appl y . Figure 3-130 MVR Global Configur ation CLI – This example first enables IGMP snoopi ng, enables MVR globa lly , and then configures[...]

  • Page 274

    Configuring the Switch 3-226 3 Displaying MVR Interface Status Y ou can display information about the in terfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR sta tus for source p orts is “ACTIVE ” if MVR is globall y enab[...]

  • Page 275

    Multicast Filtering 3-227 3 Displaying Port Members of Multicast Groups Y ou can display the multicast groups ass i gned to the MVR VLAN either through IGMP snooping or st atic configurati on. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the inte rfaces with subscri bers for multicast se[...]

  • Page 276

    Configuring the Switch 3-228 3 Configuring MVR Interface St atus Each interface that particip ates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one sub scriber attached to an i nterface is receiving multicas t services, you can enable the immediate leave fun ction. Command Usage • A port which is not configur[...]

  • Page 277

    Multicast Filtering 3-229 3 - Non-MVR – An interface that does no t participate in the MVR VLAN. (This i s the default typ e.) • Immediate Leave – Configures the swit ch to immediately remove an int erface from a multic ast stream as soo n as it receives a leave me ssage for that group. (This option only appl ies to an interfac e configured a[...]

  • Page 278

    Configuring the Switch 3-230 3 Assigning Static Multicast Groups to Interfaces For multicast streams tha t will run for a long te rm and be associated wit h a stable set of hosts, you can statical ly bind the multicas t group to the parti cipating interfaces. Command Usage • Any multicast groups that use the MVR VLAN must be statically assign ed [...]

  • Page 279

    Configuring Domain Nam e Service 3-231 3 Configuring Domain Name Service The Domain Naming System (DNS) service on thi s switch allows host names to be mapped to IP ad dresses using s tatic t able entries or by redirect ion to other name servers on the network. When a client device desig nates this switch as a DNS server , the client wil l attempt [...]

  • Page 280

    Configuring the Switch 3-232 3 Web – Select DNS, General Configuration. Set the def ault domain name or list of domain names, s pecify one or mo re name servers to use to use for address resolution, enable domai n lookup status, and click Apply . Figure 3-135 DNS General Configuration CLI - This example set s a defau lt domain name and a domain l[...]

  • Page 281

    Configuring Domain Nam e Service 3-233 3 Configuring Static DNS Host to Address Entries Y ou can manually configure static ent ries in the DNS tabl e that are used to map domain names to IP addresses. Command Usage • Static entri es may be used for local devices connected di rectly to the atta ched network, or for commonly used resources located [...]

  • Page 282

    Configuring the Switch 3-234 3 Web – Select DNS, S tatic Host T able. Enter a host name and one or more corresponding addresse s, then click Apply . Figure 3-136 DNS Static Host Table CLI - This example maps two addre ss to a host name, and then con figures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.5 5 10.1.[...]

  • Page 283

    Configuring Domain Nam e Service 3-235 3 Displaying the DNS Cache Y ou can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefo re unreliable. • Type – This field[...]

  • Page 284

    Configuring the Switch 3-236 3 Switch Clustering Switch Clustering is a met hod of grouping switches tog ether to enable centrali zed management through a single unit . Switches that su pport clustering c an be grouped together regard less of physical lo cation or switch type, as lon g as they are connected to the same loc al network. Command Usage[...]

  • Page 285

    Switch Clust ering 3-237 3 • Cluster IP Pool – An “internal” IP address pool that is used to assign I P addresses to Member switches in the cluster. Internal cluster IP addre sses are in the form 10. x.x.member-ID . Only the base IP address of the pool nee ds to be set since Member IDs can only be between 1 and 16. No te that you cannot cha[...]

  • Page 286

    Configuring the Switch 3-238 3 Cluster Member Configuration Adds Candidate switches to the clu ster as Members. Command Attributes • Member ID – S pecify a Member ID n umber for the selected Candidate switch. (Range: 1-16) • MAC Address – Select a discovered s witch MAC address from the Candida t e Table, or enter a specific MAC address of [...]

  • Page 287

    Switch Clust ering 3-239 3 Displaying Information on Cl uster Members Use the Cluster Member Info rmation pag e to display informati on on current cluster Member switches. Command Attributes • Member ID – The ID number of the Member switch. • Role – Indicates the curren t status of t he switch in the cluster . • IP Address – The int ern[...]

  • Page 288

    Configuring the Switch 3-240 3 Cluster Candidate Information Use the Cluster Candidate Information p age to display inf ormation about discov ered switches in the network that are alrea dy cluster Members or are availabl e to become cluster Members. Command Attributes • Role – Indicates the curren t status of Candi date switches in the net work[...]

  • Page 289

    4-1 Chapter 4: Command Line Interface This chapter descri bes how to use t he Command Line I nterface (CLI). Using the Command Line Interface Accessing the CLI When accessing the manage ment interface for the switch over a dire ct connection to the server’s console port, or via a T elnet connection, the switch can be managed by entering command k[...]

  • Page 290

    Command Line Interfa ce 4-2 4 Telnet Connection T elnet operates over the IP transport protocol. I n this environment, your management st ation and any network device you want to man age over the network must have a valid IP address. V alid IP addresses consist of four numbers , 0 to 255, separated by peri ods. Each address consist s of a network p[...]

  • Page 291

    Entering Commands 4-3 4 Entering Commands This section describes how to ent er CLI commands. Keywords and Arguments A CLI command is a series of keywords and argument s. Keywords identify a command, and argument s specify configurati on parameters. For examp le, in the command “show interfaces st atus ethernet 1/5,” show interfaces and st at us[...]

  • Page 292

    Command Line Interfa ce 4-4 4 Showing Commands If you enter a “?” at the command prompt, the system will displa y the first level of keywords for the current command class (Normal Exec or Privil eged Exec) or configuration cl ass (Global, ACL, Interface, Line or VL AN Database). Y ou can also display a list of valid keywords for a specific comm[...]

  • Page 293

    Entering Commands 4-5 4 The command “ show interfaces ? ” will di splay the fo llowing informat ion: Partial Keyword Lookup If you terminat e a p artial keyword with a question mark, alternatives that match the initial letters are provi ded. (Remember not to leave a space betwe en the command and question mark.) For exampl e “ s? ” shows al[...]

  • Page 294

    Command Line Interfa ce 4-6 4 Understanding Command Modes The command set is divided int o Exec and Configurati on classes. Exec command s generally display in formation on sys tem status or clea r statist ical counters. Configuration comman ds, on the other hand, modify interface parameters or enabl e certai n switching functio ns. These classes a[...]

  • Page 295

    Entering Commands 4-7 4 Configuration Commands Configuration c ommands are privi leged level comma nds used to modi fy switch settings. These commands modify th e running configuration only an d are not saved when the switch is rebooted. T o store the running configuration in non-volatile storage, use the copy running-conf ig startup-config command[...]

  • Page 296

    Command Line Interfa ce 4-8 4 T o enter the other modes, at the conf iguration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. For example, you can use the following commands to enter interface confi guration mode, and then return to Priv ileged Exec mode T able 4-2 Configuration Modes M[...]

  • Page 297

    Entering Commands 4-9 4 Command Line Processing Commands are not case sensitive . Y o u can abbreviate commands and parameters as long as t hey cont ain enough l etters to dif ferentiate them from a ny other currently available comman ds or p arameters. Y ou can use the T ab key to complete parti al commands, or enter a p artial command followed by[...]

  • Page 298

    Command Line Interfa ce 4-10 4 Command Groups The system commands can be broken down into the functional group s shown below . T able 4-4 Command Groups Command Group Description Page General Basic commands for entering priv ileg ed access mode, restarting the system, or quitting the CLI 4-1 1 System Management Display and setting of syst em inform[...]

  • Page 299

    General Comma nds 4-11 4 The access mode shown in the followi ng tables is in dicated by these abbreviations: ACL (Access Control List Configu ration) NE (Normal Exec) CM (Class Map Configuration) PE (Privileged Exec) GC (Global Configuratio n) PM (Policy Map Configuration ) IC (Interface Configurati on) SG (S erver Group) LC (Line Configuration) V[...]

  • Page 300

    Command Line Interfa ce 4-12 4 Command Mode Normal Exec Command Usage • “super” is the def ault password require d to change the comma nd mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on p age 4-78.) • The “#” character is appended to the end of the prompt to indicate that t he system i[...]

  • Page 301

    General Comma nds 4-13 4 Example Related Commands end (4-14) show hist ory This command shows the content s of the command history buf fer . Command Mode Normal Exec, Privileg ed Exec Command Usage The history buf fer size is fixed at 10 Execu tion commands and 10 Configuration commands. Example In this example, th e show history command list s the[...]

  • Page 302

    Command Line Interfa ce 4-14 4 Command Mode Privileged Exec Command Usage • This command resets the entire system. • When the system is restart ed, it will always run the Power-On Se lf-Test. It wil l also retain all conf iguration informa t ion stored in non-vol atile memory by the copy runni ng-conf ig startu p-config command. Example This ex[...]

  • Page 303

    General Comma nds 4-15 4 exit This command returns to the previous configuration mode or exit the conf iguration program. Command Mode Any Example This example shows how to return to the Pri vileged Exec mode from the Globa l Configuration mode, and then quit the CLI sess ion: quit This command exit s the configuration program. Default Setting None[...]

  • Page 304

    Command Line Interfa ce 4-16 4 System Management Commands These commands are used to control syst em logs, p asswords, user names, brows er configuration options, and di splay or confi gure a variety of other system information. Device Designation Commands hostname This command specifies or modif ies the host name for this dev ice. Use the no form [...]

  • Page 305

    System Management Commands 4-17 4 Example System Status Commands This section de scribes commands used to display system information. show startu p-config This command displays the config uration file stored in non-volatile memory that is used to st art up the system. Command Mode Privileged Exec Command Usage • Use this command in conju nction w[...]

  • Page 306

    Command Line Interfa ce 4-18 4 Example Related Commands show running-confi g (4-18) show running-con fig This command displays the conf iguration information currently in use. Default Setting None Command Mode Privileged Exec Console#show startup-config building startup-config, please wait... .. !<stackingDB>00</stackingDB> !<stackin[...]

  • Page 307

    System Management Commands 4-19 4 Command Usage • Use this command in conjuncti on with the show startup-config command to compare the inf ormation in runni ng memory to the information stored in non-volatile me mory. • This command displays se ttings for key command mod es. Each mode group is separated by “!” symbols, and includes the conf[...]

  • Page 308

    Command Line Interfa ce 4-20 4 Example Related Commands show startup-con fig (4-17) Console#show running-config building startup-config, please wait... .. !<stackingDB>00</stackingDB> !<stackingMac>01_00-13-f7-12-31-23_01</ stackingMac> ! phymap 00-13-f7-12-31-23 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 ! clock timezone-predefi[...]

  • Page 309

    System Management Commands 4-21 4 show system This command displays system info rmation. Command Mode Normal Exec, Privileg ed Exec Command Usage • For a description of the items shown by this command, refer to "Displ aying System Information" o n page 3-11. • The POST results should all disp lay “PASS.” If any POST test indicates[...]

  • Page 310

    Command Line Interfa ce 4-22 4 Example show version This command displays hardware and sof tware version informati on for the system. Command Mode Normal Exec, Privileg ed Exec Command Usage See "Displaying Swi tch Hardwa re/Sof tware V ersions" on p age 3-13 for detail ed information on the i tems displayed by this co mmand. Example Cons[...]

  • Page 311

    System Management Commands 4-23 4 Frame Size Commands jumbo frame This command enables suppo rt for jumbo fram es. Use the no form to disable it. Syntax [ no ] jumbo frame Default Setting Disabled Command Mode Global Configurat ion Command Usage • This switch p rovides more eff icient through put for large s equential data transfers by supporting[...]

  • Page 312

    Command Line Interfa ce 4-24 4 File Management Commands Managing Firmware Firmware can be uploaded and downloa ded to or from an TFTP server . By saving run-time code to a file on an TFTP server , that file can l ater be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous ve[...]

  • Page 313

    System Management Commands 4-25 4 copy This command moves (upload/downl oad) a code image or configuration file between the swi tch’s f lash memory and a TFTP server . When you save the syste m code or configuration set tings to a file on a TFTP server , that file can later be downloaded to the switch to restore syst em operation. The success of [...]

  • Page 314

    Command Line Interfa ce 4-26 4 • The Boot ROM and Loader cannot be uploaded or down loaded from the TFTP server. You must fol low the instructions i n the release notes for new fi rmware, or contact your distributor for hel p. • For informati on on specifying a n https-certific ate, see "Replacing t he Default Secure-site Certificate"[...]

  • Page 315

    System Management Commands 4-27 4 The following example shows how to do wnload a configuration file: This example shows how to copy a secure-site certificate from an TFTP server . It then reboot s the switch to activate the certif icate: This example shows how to copy a public-ke y used by SSH from a TFTP server . Note that public key authen ticati[...]

  • Page 316

    Command Line Interfa ce 4-28 4 delete This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then thi s file cannot be del eted. • “Factory_Default_Con fig.cfg” cannot be delete d. Example [...]

  • Page 317

    System Management Commands 4-29 4 • File information is sho wn below: Example The following example shows how to di splay all file inf ormation: whichboo t This command displ ays which files were booted when the system po wered up. Command Mode Privileged Exec Example This example shows the informat ion displayed by the whichboot command. See the[...]

  • Page 318

    Command Line Interfa ce 4-30 4 boot system This command specif ies the i mage used to st art up the system. Syntax boot system { boot-rom | config | opcode }: filename The type of file or image to set as a default includes: • boot-rom * - Boot ROM. • config * - Configuration f ile. • opcode * - Run-time operation code. • filename - Name of [...]

  • Page 319

    System Management Commands 4-31 4 Line Commands Y ou can access the onboard c onfiguration prog ram by att aching a VT100 compatibl e device to the server’s serial port. These comman ds are used to set communication p arameters for the serial port or T elnet (i.e., a virtual terminal). line This command identif ies a specific li ne for configurat[...]

  • Page 320

    Command Line Interfa ce 4-32 4 Command Usage T elnet is considered a virt ual terminal connec tion and will be sho wn as “Vty” in screen displays such as show users . However , the seri al communication parameters (e .g., dat abits) do not af fect T elnet connections. Example T o enter consol e line mode, enter the fol lowing command: Related C[...]

  • Page 321

    System Management Commands 4-33 4 Example Related Commands username (4-77) password (4-33) password This command specifies the password for a li ne. Use the no form to remove t he password. Syntax p assword { 0 | 7 } pas sw ord no password •{ 0 | 7 } - 0 means plain password, 7 means encrypted password • password - Character string t hat specif[...]

  • Page 322

    Command Line Interfa ce 4-34 4 timeout login response This command sets th e interval that the system wait s for a user to log into the CLI. Use the no form to restore the default. Syntax timeout l ogin respons e [ se conds ] no timeout lo gin response seconds - Integer that specifies the timeout interval. (Range: 0 - 300 seconds; 0: disabled) Defa[...]

  • Page 323

    System Management Commands 4-35 4 Command Mode Line Configuration Command Usage • If user input is detec ted within the timeout interval, the sessio n is kept open; otherwise the sessi on is terminated. • This command app lies to b oth the local console and Telnet connecti ons. • The timeout for Telnet ca nnot be disabl ed. • Using the comm[...]

  • Page 324

    Command Line Interfa ce 4-36 4 Related Commands silent-ti me (4-36) timeout login response (4-13) silent-time This command sets th e amount of time the management console is inaccessibl e after the nu mber of unsuccessful logon at tempts exceed s the threshold set by the p assword-thresh command. Use the no form to remove the silent time value. Syn[...]

  • Page 325

    System Management Commands 4-37 4 Command Usage The data bit s command ca n be used to mask the h i gh bit o n input from devices that generat e 7 data bi ts with p arity . If parity is being generated, specify 7 dat a bits per character . If no parity is re quired, speci fy 8 data bits per character . Example T o specify 7 data bit s, enter this c[...]

  • Page 326

    Command Line Interfa ce 4-38 4 speed This command sets th e terminal line’ s baud rate. This command sets both the transmit (to t erminal) and rec eive (from terminal ) speeds. Use t he no form to restore the default sett ing. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 1 15200 bps, or auto) [...]

  • Page 327

    System Management Commands 4-39 4 Example T o specify 2 stop bits, enter this command: disconnect This command termina tes an SSH, T elnet, or console con nection. Syntax disconnec t session-id session-id – The session identifier for an SSH, T elnet or cons ole connection. (Range: 0-4) Command Mode Privileged Exec Command Usage S pecifying sessio[...]

  • Page 328

    Command Line Interfa ce 4-40 4 Example T o show all lin es, enter this command: Event Logging Commands Console#show line Console Configuration: Password Threshold: 3 times Interactive Timeout: 600 sec Login Timeout: Disabled Silent Time: Disabled Baudrate: auto Databits: 8 Parity: None Stopbits: 1 VTY Configuration: Password Threshold: 3 times Inte[...]

  • Page 329

    System Management Commands 4-41 4 logging on This command controls logging of error messag es, sending debug or error messages to switch memory . The no form d isables the l ogging process. Syntax [ no ] logging on Default Setting None Command Mode Global Configurat ion Command Usage The logging process controls error messag es saved to switch memo[...]

  • Page 330

    Command Line Interfa ce 4-42 4 logging history This command limi ts syslog messages saved to switch memory based on severi ty . The no form return s the logging of syslog messag es to the default level. Syntax logging histo ry { flash | ram } level no logging history { flash | ram } • flash - Event hist ory stored in fl ash memory (i.e., permanen[...]

  • Page 331

    System Management Commands 4-43 4 logging ho st This command adds a syslog server host IP address t hat will receiv e logging messages. Use the no form to remove a syslog server host. Syntax [ no ] logging host host_ip_address host_ip_address - The IP address of a syslog server . Default Setting None Command Mode Global Configurat ion Command Usage[...]

  • Page 332

    Command Line Interfa ce 4-44 4 logging tra p This command enables the logging of system messages to a remote server , or limits the syslog messages saved to a remote server based on severity . Use this command without a specif ied level to enabl e remote logging. Use the no form to disable remote loggi ng. Syntax logging trap [ le vel ] no logging [...]

  • Page 333

    System Management Commands 4-45 4 Related Commands show logging (4-45) show logging This command displays the conf iguration settin gs for logging mess ages to local switch memory , to an SMTP event handl er , or to a remote syslog server . Syntax show logging { flash | ram | sendmail | trap } • flash - Displays settings for storing event message[...]

  • Page 334

    Command Line Interfa ce 4-46 4 The following example dis plays settings for the t rap function. Related Commands show logging s endmail (4-50) show log This command displays the system and event messages stored in memory . Syntax show log { flash | ram } [ lo gin ] • flash - Event hist ory stored in fl ash memory (i.e., permanent memory). • ram[...]

  • Page 335

    System Management Commands 4-47 4 Example The following example shows sampl e messages stored in RAM. SMTP Alert Commands These commands configure SMTP event handl ing, and forwarding of alert messages to th e specified SMTP se rvers and emai l recipient s. logging sendmail ho st This command specif ies SMTP servers that wi ll be sent alert message[...]

  • Page 336

    Command Line Interfa ce 4-48 4 Command Mode Global Configurat ion Command Usage • You can specify up to three SMTP servers for event han ding. However, you must enter a separate command to speci fy each server. • To send email a lerts, the swi tch first opens a connection, sends all the email alerts waiting in the q ueue one by one, and final l[...]

  • Page 337

    System Management Commands 4-49 4 logging sendmail source- email This command sets th e email address used for the “From” fiel d in alert messages. Use the no form to delet e the source email address. Syntax [no] logging se ndmail sour ce-email email-address email-address - The source email address used in alert messages. (Range: 0-41 character[...]

  • Page 338

    Command Line Interfa ce 4-50 4 logging s endmail This command enables SMTP even t handling. Use the no form to disable this function. Syntax [ no ] logging se ndmail Default Setting Enabled Command Mode Global Configurat ion Example show logging sendmail This command displ ays the setti ngs for the SMTP ev ent handler . Command Mode Normal Exec, Pr[...]

  • Page 339

    System Management Commands 4-51 4 Time Commands The system clock can be dynamically set by polli ng a set of specified time servers (NTP or SNTP). Maintaini ng an accurate time on the swit ch enables the system log to record meaningful dates and t imes for event entries. If the clock is not set, the switch will only record the time from the factory[...]

  • Page 340

    Command Line Interfa ce 4-52 4 Example Related Commands sntp server (4-52) sntp poll (4 -53) show sntp (4-53) sntp server This command sets th e IP address of the se rvers t o which SNTP time req uests are issued. Use the this comman d with no argument s to clear all time servers fr om the current list. Syntax sntp server [ ip1 [ ip2 [ ip3 ]]] ip -[...]

  • Page 341

    System Management Commands 4-53 4 sntp poll This command sets th e interval between sending time request s when the switch is set to SN TP client mod e. Use the no form to restore to the defaul t. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global [...]

  • Page 342

    Command Line Interfa ce 4-54 4 clock timezone This command sets th e time zone for the switch’ s internal clock. Syntax clock timezone name hour hours mi nute minutes { before-utc | after-utc } • name - Name of timezone, usua lly an acronym. (Range: 1-29 charac ters) • hours - Number of hours before/after UTC. (Range: 0-12 hours before ; 0-13[...]

  • Page 343

    System Management Commands 4-55 4 calendar set This command sets th e system clock. It may be used if there is no time server on your network, or i f you have no t configured the switch t o receive signals from a time server . Syntax calendar set hour min sec { da y month year | month day year } • hour - Hour in 24-hour format. (Range: 0-23) • [...]

  • Page 344

    Command Line Interfa ce 4-56 4 Switch Cluster Commands Switch Clustering is a met hod of grouping switches tog ether to enable centrali zed management through a single unit . Switches that su pport clustering c an be grouped together regard less of physical lo cation or switch type, as lon g as they are connected to the same loc al network. Using S[...]

  • Page 345

    System Management Commands 4-57 4 Command Usage • To create a switch clust er, first be sure that clusteri ng is enabled on the switch (the default is enabl ed), then set the switch as a Cluster Co mmander. Set a Cluster IP Pool that does not conflict wit h any other IP sub nets in the network. Cluster IP addresses are assigne d to switches when [...]

  • Page 346

    Command Line Interfa ce 4-58 4 cluster ip-pool This command sets th e cluster IP address pool. Use th e no form to re set to the default address. Syntax cluster ip-pool ip-addres s no cluster ip-poo l ip-address - The base IP address for IP addre sses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Comm[...]

  • Page 347

    System Management Commands 4-59 4 Command Usage • The maximum number of clus ter Members is 16. • The maximum number of switch Can didates is 100 . Example rcommand This command provides access to a cluster Membe r CLI for configuration. Syntax rcommand id < member -id > member-id - The ID number of the Member switch. (Range: 1-16) Comman[...]

  • Page 348

    Command Line Interfa ce 4-60 4 show cluster members This command shows the current switch clus ter members. Command Mode Privileged Exec Example show cluster candidates This command shows the discove red Candidate swi tches in the network. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID: 1 Role: Active member I[...]

  • Page 349

    SNMP Commands 4-61 4 SNMP Commands Controls access to thi s switch from management statio ns using the Simple Net work Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP V ersion 3 also provides securit y features that cover message integ rity , authenticati on, and encryption; as wel l as controllin g user access to[...]

  • Page 350

    Command Line Interfa ce 4-62 4 snmp-server This command enables the SNMPv3 engine and se rvices for all management cli ents (i.e., versions 1, 2c, 3). Use th e no form to disable the server . Syntax [ no ] snmp-serve r Default Setting Enabled Command Mode Global Configurat ion Example show snmp This command can be used to check the st atus of SNMP [...]

  • Page 351

    SNMP Commands 4-63 4 Example snmp-server community This command defines the SNMP v1 and v2c community access string. Use th e no form to remove the specified commun ity string. Syntax snmp-server community string [ ro | rw ] no snmp-server community string • string - Community string that acts like a pass word and permits access to the SNMP proto[...]

  • Page 352

    Command Line Interfa ce 4-64 4 Command Mode Global Configurat ion Example snmp-server contact This command set s the system contact string. Use the no form t o remove the system cont act inf ormation. Syntax snmp-server cont act string no snmp-server cont act string - S tring that desc ribes the system contact information. (Maximum length: 255 char[...]

  • Page 353

    SNMP Commands 4-65 4 Example Related Commands snmp-server contact (4-64) snmp-server host This command specifies the recipient of a Simple Ne twork Management Protocol notificati on operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [ inform [ retry retries | timeout seconds ]] community-string [ version { 1 [...]

  • Page 354

    Command Line Interfa ce 4-66 4 Command Usage • If you do not en ter an snmp-server host command, no notifi cations are sent. In order to conf igure the switch to sen d SNMP notification s, you must enter at least one snmp-s erver host command. In ord er to enable multipl e hosts, you must issue a separa te snmp-server host command fo r each host.[...]

  • Page 355

    SNMP Commands 4-67 4 exist, and the switch wil l not authorize SNMP ac cess for the host. However, i f you specify a V3 host with the “noauth” op tion, an SNMP user account will be generated, and the swit ch will authorize SNMP acc ess for the host. Example Related Commands snmp-server enable trap s (4-67) snmp-server enable traps This command [...]

  • Page 356

    Command Line Interfa ce 4-68 4 Related Commands snmp-server host (4-65) snmp-server engine-id This command configures an iden tification stri ng for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id { local | remote { ip-address }} engineid-string no snmp-server engine-id { local | remote { ip-address }} • lo[...]

  • Page 357

    SNMP Commands 4-69 4 Related Commands snmp-server host (4-65) show snmp en gine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the defaul t engine ID. snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view . Syntax snmp-server v[...]

  • Page 358

    Command Line Interfa ce 4-70 4 Command Usage • Views are used in the snmp-server group command to restrict user acc ess to specified porti ons of the MIB tree. • The predefined view “defau ltview” includes acc ess to the entire MIB tr ee. Examples This view includes MIB-2. This view includes the MI B-2 interfaces t able, ifDescr . The wild [...]

  • Page 359

    SNMP Commands 4-71 4 show snm p view This command shows information on t he SNMP views. Command Mode Privileged Exec Example snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP grou p. Syntax snmp-server group groupname { v1 | v2c | v3 { auth | no auth | priv }} [ read readview ] [ [...]

  • Page 360

    Command Line Interfa ce 4-72 4 Default Setting • Default groups: publ ic 20 (read only), private 21 (read/writ e) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothin g is defined. • notifyvie w - Nothing is defined. Command Mode Global Configurat ion Command Usage • A group sets the access poli cy[...]

  • Page 361

    SNMP Commands 4-73 4 show snmp group Four default group s are provided – SNMP v1 read-onl y access and read/ write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: [...]

  • Page 362

    Command Line Interfa ce 4-74 4 snmp-server use r This command adds a user to an SNMP g r oup, restricti ng the user t o a specific SNMP Read, W rite, or Notify V iew . Use the no form to remove a user f rom an SNMP group. Syntax snmp-server user username groupname [ remote ip-address ] { v1 | v2c | v3 [ encrypted ] [ auth { md5 | sha } auth-passwor[...]

  • Page 363

    SNMP Commands 4-75 4 Command Usage • The SNMP engine ID is used to compu te the authenticat ion/privacy digest s from the password. You should theref ore configure the engine ID with the snmp-server engine-id command bef ore using this co nfiguration command. • Before you configure a remot e user, use the snmp-server en gine-id command (page 4-[...]

  • Page 364

    Command Line Interfa ce 4-76 4 Authentication Commands Y ou can configure this switch to authen ticate users logging into the system for management access using l ocal or RADIUS authenticati on methods. Y ou can also enable port-based au thentication for ne twork client access using IEEE 802.1X. T able 4-24 show snmp user - display description Fiel[...]

  • Page 365

    Authentication Commands 4-77 4 User Account and Privilege Level Commands The basic commands required fo r management access are listed in this section. This switch also includes other options for pa ssword checking via the console or a T elnet connection (p age 4-31), user authenti cation via a remote authent ication server (pa ge 4-76), and host a[...]

  • Page 366

    Command Line Interfa ce 4-78 4 Command Mode Global Configurat ion Command Usage • Privilege level 0 prov ides access to a limited number of the comman ds which display the current status of t he switch, as well a s several dat abase clear and reset functions. Level 15 provides full access to all commands. • The encrypted password is required fo[...]

  • Page 367

    Authentication Commands 4-79 4 Example Related Commands enable (4-1 1) authenticati on enable (4-82) privileg e This command assign s a privileg e level to sp ecified command groups or individual commands. Use the no form to restore the def ault setting. Syntax privilege mode [ all ] level level c ommand no privil ege mode [ all ] command • mode [...]

  • Page 368

    Command Line Interfa ce 4-80 4 Command Usage Due to system limitations in the current software, privilege commands (page 4-79) entered during the current switch se ssion will not be st ored properly in the ru nning-config fil e (see show ru nning-conf ig on pag e 4-18). The privil ege rerun command must therefore be used to correctly update these c[...]

  • Page 369

    Authentication Commands 4-81 4 authentication login This command define s the login aut hentication met hod and precedence. Use the no form to restore the default. Syntax authentication log in {[ local ] [ radi us ] [ t acacs ]} no authentication login • local - Use local password. • radius - Use RADIUS server password. • t acacs - Use TACACS[...]

  • Page 370

    Command Line Interfa ce 4-82 4 authentication enable This command defines the authent ication metho d and precedence to use when changing from Exec command mode to Priv ileged Exec command mode with the enable command (see page 4- 1 1). Use the no form to restore the def ault. Syntax authentication enable {[ local ] [ radius ] [ taca cs ]} no authe[...]

  • Page 371

    Authentication Commands 4-83 4 RADIUS Client Remote Authent ication Dial-in User Service (RADIUS) is a logon authent ication protocol that uses sof tware running on a central server to control access to RADIUS-aware devices on the network. An aut hentication se rver contain s a database of multiple user name/p assword pairs with associated privil e[...]

  • Page 372

    Command Line Interfa ce 4-84 4 Example radius-server port This command set s the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port-number no radius-server port port-number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configurat i[...]

  • Page 373

    Authentication Commands 4-85 4 radius-server retransmit This command sets th e number of retries. Use the no form to resto re the def ault. Syntax radius-server retransmit number -of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server . (Range : 1-30) Default[...]

  • Page 374

    Command Line Interfa ce 4-86 4 Example TACACS+ Client T erminal Access Controller Acces s Control System (T ACACS+) is a logon authenticati on protocol that uses sof tware running on a central server to control access to T ACACS-aware device s on the network. An authenti cation server contain s a databa se of multiple user name/p assword pairs with[...]

  • Page 375

    Authentication Commands 4-87 4 tacacs-server host This command specifies the T ACACS+ server . Use the no form to restore the default. Syntax [ no ] taca cs-server index hos t host-ip-add ress [ port port-number ] [ timeout timeout ] [ retransmit retransmit ] [ key key ] • index - Specifies the index number of the server. (Range: 1) • host-ip-a[...]

  • Page 376

    Command Line Interfa ce 4-88 4 Example tacacs-server key This command sets th e T ACACS+ encryption key . Use the no form to restore the default. Syntax t acacs-server key key-string no t acacs-server key key-string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characte[...]

  • Page 377

    Authentication Commands 4-89 4 tacacs-server timeout This command sets th e interval between transmitting authent ication request s to the T ACACS+ ser ver . Use the no form to restore t he default. Syntax t acacs-server timeout numbe r_of_seconds no t acacs-server timeout number_of_seconds - Number of seconds the s witch waits for a reply before r[...]

  • Page 378

    Command Line Interfa ce 4-90 4 AAA Commands The Authenticati on, authorization, and acco unting (AAA) f eature provides the main framework for configuri ng access control on the switch. The AAA functions require the use of configured RADIUS or T ACACS+ servers in the network. aaa group server Use this command to name a group of security serve r hos[...]

  • Page 379

    Authentication Commands 4-91 4 Example server This command adds a security server to an AAA server group . Use the no form to remove the associated server fro m the group. Syntax [ no ] server { inde x | ip-address } • index - Specif ies the server i ndex. (Range: RADIUS 1-5, TACACS+ 1) • ip-addre ss - Specifies the host IP address of a server.[...]

  • Page 380

    Command Line Interfa ce 4-92 4 aaa accounting dot1x This command enables the accounting of requested 802 .1X services for ne twork access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x { default | method-name } start-stop group { radius | t acacs+ | server-group } no aaa accounting dot1x { default | method-name } ?[...]

  • Page 381

    Authentication Commands 4-93 4 aaa accounting exec This command enables the ac counting of requested Ex ec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec { default | method-name } st art-stop group { radius | t acacs+ | server-group } no aaa accounting exec { defa ult | method-name } • d[...]

  • Page 382

    Command Line Interfa ce 4-94 4 aaa accounting commands This command enables the ac counting of Exec mode commands. Use the no form to disable the accoun ting service. Syntax aaa accounting commands leve l { default | method-name } st art-stop group { t acacs+ | server-group } no aaa accounting comma nds level { default | method-name } • level - T[...]

  • Page 383

    Authentication Commands 4-95 4 aaa accounting update This command enables the sending of periodic update s to the accounting serv er . Use the no form to di sable accountin g updates. Syntax aaa accounting up date [ periodic interval ] no aaa accounting up date interval - Sends an interim a ccounting record to the server at this interval. (Range: 1[...]

  • Page 384

    Command Line Interfa ce 4-96 4 Example accounting exec This command applies an account ing method to loca l console or T elnet connections. Use the no form to di sable accountin g on the lin e. Syntax accounting exec { defa ult | list-name } no accounting exec • default - Specifies the d efault method li st created with the aaa accounting exec co[...]

  • Page 385

    Authentication Commands 4-97 4 Command Mode Line Configuration Example aaa authorization exec This command enables the auth orization for Exec access. Use the no form to disable the authorizat ion service. Syntax aaa authorization exec { default | method-name } group { t acacs+ | server-group } no aaa authori zation exec { default | method-name } ?[...]

  • Page 386

    Command Line Interfa ce 4-98 4 authorization exec This command applies an autho rization method to local console or T elnet connections. Use the no form to disable authorization on the li ne. Syntax authorization exec { default | list-name } no authorization exec • default - Specifies the defaul t method list created with the aaa authorization ex[...]

  • Page 387

    Authentication Commands 4-99 4 Command Mode Privileged Exec Example Web Server Commands This section de scribes commands u sed to config ure web browser management access to the switch. ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number [...]

  • Page 388

    Command Line Interfa ce 4-100 4 Example Related Commands ip http server (4-100) ip http server This command allows this device to be moni tored or config ured from a browser . Use the no form to disable t his functi on. Syntax [ no ] ip http server Default Setting Enabled Command Mode Global Configurat ion Example Related Commands ip http port (4 -[...]

  • Page 389

    Authentication Commands 4-101 4 • When you start HTTPS, the connection is established in this way: - The client authenticates th e server using the server’s digita l certificate. - The client and server negotiate a set of sec urity protocols to use for the connection. - The client and server generate sess ion keys for encrypting and d ecrypting[...]

  • Page 390

    Command Line Interfa ce 4-102 4 Command Usage • You cannot configure the HTTP and HTTPS serv ers to use the same port. • If you change the HTTPS port number, cl ients attempting to conn ect to the HTTPS server must specify the port number in the URL, in t his format: https:// device : port_number Example Related Commands ip http secure-server ([...]

  • Page 391

    Authentication Commands 4-103 4 Secure Shell Comma nds This section de scribes the commands used to configure the SSH server . Howe ver , note that you also need t o inst all a SSH cli ent on the man agement station when using this p rotocol to configure th e switch. Note: The switch supports both SSH Version 1.5 and 2.0. Configuration Guidel ines [...]

  • Page 392

    Command Line Interfa ce 4-104 4 Otherwise, you need to manually c reate a known host s file on the management statio n and place the host public key in it . An entry for a publi c key in the known hosts fil e would appear similar to t he following example: 10.1.0.54 10 24 35 15684 995401867669 259333946775 05461732531 367489083654 7254 1502024559 3[...]

  • Page 393

    Authentication Commands 4-105 4 d) The cl ient uses its private key to decrypt the chal lenge string, compu tes the MD5 checksum, and sends the checksum back to the switch. e) The switch comp ares the checksum sent from the client against that computed for the original string it se nt. If the two checksums match , this means that the client 's[...]

  • Page 394

    Command Line Interfa ce 4-106 4 Related Commands ip ssh crypto host-key generate (4-108 ) show ssh (4-1 10) ip ssh timeout This command config ures the timeout for the SSH serv er . Use the no form to restore the default sett ing. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Ra[...]

  • Page 395

    Authentication Commands 4-107 4 Command Mode Global Configurat ion Example Related Commands show ip ssh (4-109) ip ssh server-key size This command sets the SSH serve r key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server k ey . (Range: 512-896 bit[...]

  • Page 396

    Command Line Interfa ce 4-108 4 Example ip ssh crypto host-key generate This command generates the host key pair (i.e., publi c and private). Syntax ip ssh crypto host-key generate [ dsa | rsa ] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) ke y type. Default Setting Generates both the DSA and RSA key p airs. Command Mode Privil[...]

  • Page 397

    Authentication Commands 4-109 4 Default Setting Clears both the DSA and RSA key . Command Mode Privileged Exec Command Usage • This command clears the host key from vol atile memory (RAM). Use the no ip ssh save host-key command to clear the host key from f lash memory. • The SSH server must be disabl ed before you can execute thi s command. Ex[...]

  • Page 398

    Command Line Interfa ce 4-110 4 Example show ssh This command displays the current SSH server connect ions. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authenti cation retries: 3 Server key size: 768 bits Console# Console#show ssh Connection Version State U sername Encryption 0 [...]

  • Page 399

    Authentication Commands 4-111 4 show public-key This command shows the publi c key for the specified user or for the host. Syntax show public-key [ user [ username ]| ho st ] username – Name of an SSH user . (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no para meters are entered,[...]

  • Page 400

    Command Line Interfa ce 4-112 4 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submi t credentials for authenticati on. Client authenti cation is controlle d centrally by a RADIUS server using EAP (Extensible Aut hentication Pr[...]

  • Page 401

    Authentication Commands 4-113 4 dot1x default This command sets al l configurable dot1x gl obal and port settings to thei r default values. Command Mode Global Configurat ion Example dot1x max-req This command sets th e maximum number of times the switch port wil l retransmit an EAP request/identity p acket to the client before it times out the aut[...]

  • Page 402

    Command Line Interfa ce 4-114 4 Default force-authorized Command Mode Interface Configur ation Example dot1x operation-mode This command allows singl e or multiple host s (clients) to connect to an 802.1X-authorized port. Use t he no form with no keywords to resto re the default to single host. Use th e no form with th e multi-host max-cou nt keywo[...]

  • Page 403

    Authentication Commands 4-115 4 dot1x re-authenticate This command forces re-authenticat ion on all ports or a specific interface. Syntax dot1x re-authenticate [ inte rface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) Command Mode Privileged Exec Command Usage The re-authentication pro[...]

  • Page 404

    Command Line Interfa ce 4-116 4 Related Commands dot1x timeout re-authperi od (4-1 16) dot1x timeout quiet-period This command sets th e time that a switch port wait s after the Max Request Count has been exc eeded before att empting to ac quire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-perio d seconds no dot1x [...]

  • Page 405

    Authentication Commands 4-117 4 dot1x timeout tx-period This command sets the time tha t an interface on the switch waits during an authenticati on session before re-transmitting an EAP packet. Use the no form to reset to the defa ult value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-p eriod seconds - The number of seconds. (Range: [...]

  • Page 406

    Command Line Interfa ce 4-118 4 Example show dot1x This command shows general port aut hentication related set tings on the switch or a specific interface. Syntax show dot1x [ statistics ] [ interface interface ] • statistics - Displays dot1x status for each port. • interface • ethernet unit / port - unit - S tack u nit . (Range: 1) - port - [...]

  • Page 407

    Authentication Commands 4-119 4 - max-req – Maximum number of times a port will retransmit an EAP request/identi ty packet to the cl ient before it times out th e authentication session (page 4-113). - Status – Authorizati on status (authoriz ed or not). - Operation Mode – Shows if single or multiple hosts (clients) can connect to an 802.1X-a[...]

  • Page 408

    Command Line Interfa ce 4-120 4 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mod e Mode Authorized 1/1 disabled Single-Host ForceAuthorized n/a 1/2 enabled Single-Host auto yes . . . 1/26 disabled Single-Host ForceAuthorized n/a 802.1X Port Details 802.1X is disabled [...]

  • Page 409

    Authentication Commands 4-121 4 Management IP Filter Commands This section de scribes commands used to config ure IP management access to the switch. management This command specif ies the cl ient IP addresses that are a llowed management access to the switch through vario us protocols. Use the no form to restore the default setti ng. Syntax [ no ][...]

  • Page 410

    Command Line Interfa ce 4-122 4 Example This example re stricts management access to the indi cated addresses. show managem ent This command displays the cli ent IP addresses that are allowed management access to the swi t ch through vario us protocols. Syntax show management { all-clie nt | http -client | snmp-client | telnet-client } • all-clie[...]

  • Page 411

    General Securi ty Measures 4-123 4 General Security Measures This switch support s many methods of segregating traf fic for client s attached to each of the dat a ports, and for ensur ing that only authorize d clients gai n access to the network. Private VLANs and port-bas ed authentication using IEEE 802.1X are commonly used for these purpose s. I[...]

  • Page 412

    Command Line Interfa ce 4-124 4 Port Security Commands These commands can be used to enable port securi ty on a port. When using port security , the switch stops learning new MAC addresses on the specified po rt when it has reached a co nfigured maximum nu mber . Only incoming traf fic with source addresses already s t ored in the dynamic or s tati[...]

  • Page 413

    General Securi ty Measures 4-125 4 Command Usage • If you enable po rt security, th e switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffi c with source addresses al ready stored in the dynamic or sta tic address table wi ll be accepted . • Use the port secur ity com[...]

  • Page 414

    Command Line Interfa ce 4-126 4 Network Access (MAC Address Authentication) Network Access authent ication control s access to the net work by authenticating the MAC address of each host that attempt s to connect to a switch port. Traf fic received from a specific MAC address is fo rwarded by the switch only if t he source MAC address is success fu[...]

  • Page 415

    General Securi ty Measures 4-127 4 Command Usage The maximum number of MAC addresses pe r port is 2048, and t he maximum number of secure MAC addresses su pported for the switch system is 1024. When the limit is reached, all new MAC addresses are t reated as authenticati on failures. Example network-access mode Use this command to enable network ac[...]

  • Page 416

    Command Line Interfa ce 4-128 4 indicates untagged VLAN and “t” tag ged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and t he “Tunnel-M edium-Type” attri bute set to “802.” Example mac-authe ntication reauth-tim e Use this command to set the time peri od after which a connec ted MAC address must be re-authenticat e[...]

  • Page 417

    General Securi ty Measures 4-129 4 Example mac-authentication max-mac-count Use this command to set the maximum numbe r of MAC addresses that can be authenticated on a port via 802.1X au thentication or MAC authentica tion. Use the no form of this command to restore th e default. Syntax mac-authenticati on max-mac-count co unt no mac-authenticati o[...]

  • Page 418

    Command Line Interfa ce 4-130 4 Example show network-access mac-addres s-table Use this command to display secure MAC address table entries . Syntax show network-access mac-address-t able [ static | dynamic ] [ address mac-address [ mask ]] [ interface interface ] [ sort { address | interface }] • static - Specifies st atic address entrie s. • [...]

  • Page 419

    General Securi ty Measures 4-131 4 Example DHCP Snooping Commands DHCP snooping all ows a switch to prot ect a network fro m rogue DHCP servers or other devices which sen d port-related informati on to a DHCP server . This information ca n be useful i n tracking an I P address back t o a physical port. This section descr ibes commands used to confi[...]

  • Page 420

    Command Line Interfa ce 4-132 4 ip dhcp snoopi ng This command enables DHCP snoo ping globally . Use the no form to restore the default setti ng. Syntax [ no ] ip dhcp snoo ping Default Setting Disabled Command Mode Global Configurat ion Command Usage • Network traffic may be disrupt ed when malicious DHCP messages are received from an outside so[...]

  • Page 421

    General Securi ty Measures 4-133 4 MAC address verificatio n is enabled, then the packe t will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as t he source MAC address in the Ethernet h eader. * If the DHCP packet i s not a rec ognizable type, it is dr opped. - If a DHCP packet from a client passes the f[...]

  • Page 422

    Command Line Interfa ce 4-134 4 packet filterin g will be performed on any untrust ed ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-134). • When the DHCP snooping is gl obally disable d, DHCP snooping can still be configured for s pecific VLANs, but the changes wil l not take eff ect until DHCP snooping is globa[...]

  • Page 423

    General Securi ty Measures 4-135 4 • Additional consi derations when the s witch itself i s a DHCP client – The por t(s) through which it submits a client request to the DHCP server must be configured as t rusted. Example This example set s port 5 to untrusted. Related Commands ip dhcp snoopi ng (4-132) ip dhcp snoopi ng vlan (4-133) ip dhcp sn[...]

  • Page 424

    Command Line Interfa ce 4-136 4 ip dhcp snoopin g information option This command enables the DHCP Opti on 82 information rel ay for the switch. Use the no form to disable t his functi on. Syntax [ no ] ip dhcp snoo ping information optio n Default Setting Disabled Command Mode Global Configurat ion Command Usage • DHCP provides a relay mechanism[...]

  • Page 425

    General Securi ty Measures 4-137 4 ip dhcp snooping i nformation policy This command sets the DHCP snoopin g information option policy for DHCP client packets that incl ude Option 82 information. Syntax ip dhcp snoopi ng informat ion polic y { drop | keep | replace } • drop - Drops the client’s request packet instead of relaying it. • keep - [...]

  • Page 426

    Command Line Interfa ce 4-138 4 show ip dhcp snooping This command shows the DHCP snooping confi guration settings. Command Mode Privileged Exec Example show ip dhcp snoo ping binding This command shows the DHCP snooping bindi ng table entri es. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable [...]

  • Page 427

    General Securi ty Measures 4-139 4 IP Source Guard Commands IP Source Guard is a security featu re that filt ers IP traf fic on network inte rfaces based on manually confi gured entries in the IP Source Guard t able, or dynamic entries in t he DHCP Snooping t able when enabled (see "DHCP Snooping Commands" on page 4-131). IP source guar d[...]

  • Page 428

    Command Line Interfa ce 4-140 4 • When enabled, traff ic is filtered based upo n dynamic entries learned v ia DHCP snooping, or static addresses conf igured in the source guard bi nding table. • Table entries incl ude a MAC address, IP address, lease time, entry type (Static-IP-SG-Bindi ng, Dynamic-DHCP-Binding), VL AN identifier, an d port ide[...]

  • Page 429

    General Securi ty Measures 4-141 4 ip source-guard binding This command adds a stati c address to the source-guard bind ing tabl e. Use the no form to re move a st atic entry . Syntax ip source-g uard bindin g mac-address vlan vlan-id ip-address interface ethernet unit/ port no ip source-guard bindin g mac-address vlan vlan-id • mac-address - A v[...]

  • Page 430

    Command Line Interfa ce 4-142 4 Related Commands ip source-guard (4-139) ip dhcp snoopi ng (4-132) ip dhcp snoopi ng vlan (4-133) show ip source-guard This command shows whether source guard is enabled or disabled on each interface . Command Mode Privileged Exec Example show ip source-g uard binding This command shows the source guard bi nding tabl[...]

  • Page 431

    Access Contro l List Comm ands 4-143 4 Access Control List Commands Access Control List s (ACL) provide packet fi ltering for IP fr ames (based on add ress, protocol, or Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, f irst create an access list, add the required rules an[...]

  • Page 432

    Command Line Interfa ce 4-144 4 access-list ip This command adds an IP access list and enters configuration mode for st andard or extended IP ACLs. Us e the no form to remove the specified ACL. Syntax [ no ] access-li st ip { standard | extended } acl-name • standard – Specif ies an ACL that filters packets based on the so urce IP address. • [...]

  • Page 433

    Access Contro l List Comm ands 4-145 4 permit , deny (Standard ACL) This command adds a rule to a S tandard IP ACL. The rule sets a filter condit ion for packet s emanating from the specified source. Us e the no form to re move a rule. Syntax [ no ] { permit | deny } { any | source bitmask | ho st source } • any – Any source IP address. • sou[...]

  • Page 434

    Command Line Interfa ce 4-146 4 permit , deny (Extende d ACL) This command adds a rule to an Extende d IP ACL. The rule sets a filt er condition for packet s with specific source or destinatio n IP addresses, protocol ty pes, or source or destination proto col ports, or TCP control cod es. Use the no form to remo ve a rule. Syntax [ no ] { permit |[...]

  • Page 435

    Access Contro l List Comm ands 4-147 4 Command Usage • All new rules are appended to the end of the list. • Address bitmasks are simi lar to a subnet mask, containing four inte gers from 0 to 255, each s eparated by a period. The binary mask uses 1 bits to in dicate “match” and 0 bits to indica te “ignore.” The bitmask is bi twise ANDed[...]

  • Page 436

    Command Line Interfa ce 4-148 4 Related Commands access-list ip (4-144) show ip access-list This command displays the ru les for configured IP ACLs. Syntax show ip access-list { st andard | extended } [ acl-name ] • standard – Specifies a st andard IP ACL. • extended – Specifies an extend ed IP ACL. • acl-name – Name of the ACL. (Maximu[...]

  • Page 437

    Access Contro l List Comm ands 4-149 4 Example Related Commands show ip access-li st (4-148) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Related Commands ip access-group (4-148) MAC ACLs The commands in this section configure ACLs based on hardware address es, packet f ormat, and Ether[...]

  • Page 438

    Command Line Interfa ce 4-150 4 access-list mac This command adds a MAC access list and enters MAC ACL confi guration mode. Use the no form to remove the specified ACL. Syntax [ no ] access-li st mac acl-name acl-name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configurat ion Command Usage • When [...]

  • Page 439

    Access Contro l List Comm ands 4-151 4 [ no ] { permit | deny } untagged-e th2 { any | host source | source address-bitm ask } { any | host destination | destination address-bitmask } [ ethertype protocol [ pro tocol - bitmask ]] [ no ] { permit | deny } tagged-80 2.3 { any | host source | source address-bitm ask } { any | host destination | destin[...]

  • Page 440

    Command Line Interfa ce 4-152 4 Example This rule permits p ackets from any source MAC address to the destination add ress 00-e0-29-94-34-de where th e Ethernet type i s 0800. Related Commands access-list mac (4-150) show mac access-list This command displays the ru les for configured MAC ACLs. Syntax show mac access-list [ acl-name ] acl-name – [...]

  • Page 441

    Access Contro l List Comm ands 4-153 4 Example Related Commands show mac access-l ist (4-152) show mac access-group This command shows the port s assigned to MAC ACLs. Command Mode Privileged Exec Example Related Commands mac access-g roup (4-152) Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jer ry in Console(config-if[...]

  • Page 442

    Command Line Interfa ce 4-154 4 ACL Information show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example show access-group This command shows the port assignment s of ACLs. Command Mode Privileged Executive Example T able 4-47 ACL Inform ation Command Function Mode Page show access-list Show all ACLs a[...]

  • Page 443

    Interface Commands 4-155 4 Interface Commands These commands are used to display or set co mmunication pa rameters for an Ethernet port, aggregate d link, or VLAN. interface This command configure s an interface type and enter int erface configurati on mode. Use the no form to remove a trunk. Syntax interface interface no interface port-cha nnel ch[...]

  • Page 444

    Command Line Interfa ce 4-156 4 Command Mode Global Configurat ion Example T o specify port 24, ente r the following command: description This command adds a description t o an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a d escription to help you remember what is attached to th[...]

  • Page 445

    Interface Commands 4-157 4 Default Setting • Auto-negotiat ion is enabled by default. • When auto-negoti ation is disabl ed, the default speed-duplex set ting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Co nfiguration (Et hernet, Port Channel) Command Usage • The 1000BASE-T standard does not[...]

  • Page 446

    Command Line Interfa ce 4-158 4 Command Usage • When auto-negotiati on is enabled the switch will negotiate the best set tings for a link b ased on the capabilities command. When auto-negotiation is disabled, you must manual ly specify the link attri butes with the speed-duplex and flowcontro l commands. • If autonegoti ation is disabled, au to[...]

  • Page 447

    Interface Commands 4-159 4 Command Usage When auto-negotiat ion is enabled with t he negotiation co mmand, the switch will negotiate the best settin gs for a link based on the capabilites command. When auto-negotiat ion is disabled, yo u must manually specify t he link attributes wi th the speed-duplex and flowcontrol commands. Example The followin[...]

  • Page 448

    Command Line Interfa ce 4-160 4 • Avoid using flow cont rol on a port connected to a hub unless it is actuall y required to solve a problem. Otherwise back pressure jamming signals may degrade overall perfo rmance for the segment attached to the hub . Example The following example enab les flow control on port 5. Related Commands negotiation (4-1[...]

  • Page 449

    Interface Commands 4-161 4 Default Setting All interfaces are enabled. Command Mode Interface Co nfiguration (Et hernet, Port Channel) Command Usage This command all ows you to d isable a port due to ab normal behavior (e.g., excessive collisions), and then reenabl e it after the probl em has been resolved. Y ou may also want to disable a port for [...]

  • Page 450

    Command Line Interfa ce 4-162 4 Example The following s hows how to confi gure broad cast storm control at 500 p acke ts per second: clear counters This command clears statist ics on an int erface. Syntax clear counters interface interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha [...]

  • Page 451

    Interface Commands 4-163 4 show interfaces status This command displays the st atus for an interface. Syntax show interfaces sta tus [ int erface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) • vlan vlan-id (Range: 1-4094) Default Setting Sho[...]

  • Page 452

    Command Line Interfa ce 4-164 4 show interfaces counters This command displays inte rface statistics. Syntax show interfaces counters [ interface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) Default Setting Shows the counters for all interf ac[...]

  • Page 453

    Interface Commands 4-165 4 show interfaces switchport This command displays the admi nistrative and ope rational st atus of the speci fied interface s. Syntax show interfaces switchport [ interface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) [...]

  • Page 454

    Command Line Interfa ce 4-166 4 Private-VLAN Mode: NONE Private-VLAN host-association: NONE Private-VLAN Mapping: NONE 802.1Q-tunnel Status: Disable 802.1Q-tunnel Mode: NORMAL 802.1Q-tunnel TPID: 8100(He x) Console# T able 4-49 Interfa ces Switchpor t Statistics Field Description Broadcast Threshold Shows if broadc ast storm suppression is enabled [...]

  • Page 455

    Link Aggregation Commands 4-167 4 Link Aggregation Commands Ports can b e stati cally grouped in to an aggrega te link (i.e., trunk) to i ncrease the bandwidth of a netwo rk connection or t o ensure fault recovery . Or yo u can use t he Link Aggregation Contro l Prot ocol (LACP) to automatic ally negotiate a trunk l ink between this swit ch and ano[...]

  • Page 456

    Command Line Interfa ce 4-168 4 Dynamically Creati ng a Port Channel – Ports assigned t o a common port ch annel must meet the followin g criteria: • Ports must have the same LACP system priority. • Ports must have the same port admi n key (Ethernet Interf ace). • If the port cha nnel admin key (lacp admin key - Port Channel) is not set whe[...]

  • Page 457

    Link Aggregation Commands 4-169 4 lacp This command enables 802.3ad Link Aggrega tion Control Prot ocol (LACP) for the current inte rface. Use the no form to disable it . Syntax [ no ] lacp Default Setting Disabled Command Mode Interface Conf iguration (Ethern et) Command Usage • The ports on both ends of an LACP trunk must be conf igured for ful[...]

  • Page 458

    Command Line Interfa ce 4-170 4 Example The following shows LACP enabled on port s 1 1-13. Because LACP has also been enabled on the port s at the other end of the li nks, the show interfac es status port-cha nnel 1 command shows that T runk 1 has been est ablished. lacp system-priority This command configures a port's LACP system priority . U[...]

  • Page 459

    Link Aggregation Commands 4-171 4 Command Mode Interface Conf iguration (Ethern et) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined wit h the switch’s MAC address to form the LAG identifier. This ident ifier is used to indic ate a specific LAG during LACP negotiations w[...]

  • Page 460

    Command Line Interfa ce 4-172 4 • Once the remote side of a link ha s been established, LACP operat ional settings are already in use on that side. Configurin g LACP settings for the partner only app lies to its administ rative state, not it s operational state, and will only take effe ct the next time an aggregate li nk is established with th e [...]

  • Page 461

    Link Aggregation Commands 4-173 4 lacp port-priori ty This command configures LACP port priori ty . Use the no form to restore t he default setting. Syntax lacp { actor | pa r t n er } port-priority priority no lacp { actor | pa r t n e r } port-priority • actor - The local side an aggregat e link. • partner - The remote side of an aggregate li[...]

  • Page 462

    Command Line Interfa ce 4-174 4 show lacp This command displays LACP informatio n. Syntax show lacp [ port-channel ] { counters | intern al | neighbors | sys id } • port-channel - Local ident ifier for a link aggregation group. (Range : 1-32) • counters - Statistics for LACP protocol messages. • internal - Configuration settings and operation[...]

  • Page 463

    Link Aggregation Commands 4-175 4 Console#show lacp 1 internal Port channel : 1 --------------------------------------- ---------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 --------------------------------------- ---------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Adm[...]

  • Page 464

    Command Line Interfa ce 4-176 4 Console#show lacp 1 neighbors Port channel 1 neighbors --------------------------------------- ---------------------------------- Eth 1/1 --------------------------------------- ---------------------------------- Partner Admin System ID : 32768, 00-0 0-00-00-00-00 Partner Oper System ID : 32768, 00-00 -00-00-00-01 Pa[...]

  • Page 465

    Link Aggregation Commands 4-177 4 Console#show lacp sysid Port Channel System Priority Sys tem MAC Address --------------------------------------- ---------------------------------- 1 32768 00 -12-CF-8F-2C-A7 2 32768 00 -12-CF-8F-2C-A7 3 32768 00 -12-CF-8F-2C-A7 4 32768 00 -12-CF-8F-2C-A7 Console# T able 4-54 show lacp sysid - display description F[...]

  • Page 466

    Command Line Interfa ce 4-178 4 Mirror Port Commands This section describes how to mirror traf fic from a source port to a target port. port monitor This command configures a mirror sess ion. Use the no form to clear a mirror session. Syntax port monitor in terface [ rx | tx ] no port monit or interface • interface - ethernet unit / port (source [...]

  • Page 467

    Mirror Port Commands 4-179 4 Example The following example conf igures the switch to mi rror received packet s from port 6 to 1 1: show port mo nitor This command displays mirror informa tion. Syntax show port monit or [ interfac e ] interface - ethernet unit / port (source port) • unit - Stack unit. (Range : 1) • port - Port number. (Range: 1-[...]

  • Page 468

    Command Line Interfa ce 4-180 4 RSPAN Mirroring Commands Remote Swit ched Port Anal yzer (RSP AN) allow s you to mirror t raffic from remote switches for analys is on a local destinati on port. Configuration Guidel ines T ake the following step s to configure an RSP AN session: 1. Use the vlan rspan command (pag e 4-221) to configure a VLAN to use [...]

  • Page 469

    RSP AN Mirroring Commands 4-181 4 has been configured, MAC addre ss learning will still not be re-st arted on the RSPAN uplink ports. • IEEE 802.1X – RSPAN and 80 2.1X are mutually exc lusive functions. When 802.1X is enabled gl obally, RSPAN upl ink ports cannot be config ured, even though RSPAN source and destinat ion ports can stil l be conf[...]

  • Page 470

    Command Line Interfa ce 4-182 4 • The source port and destinat ion port cannot be configured on t he same switch. Example The following example conf igures the switch to mi rror received pa ckets from port 2 and 3: rspan destination Use this command to specif y the destination port to monitor the mi rrored traff ic. Use the no form to disable RSP[...]

  • Page 471

    RSP AN Mirroring Commands 4-183 4 Example The following example conf igures port 4 to receive mirrored RSP AN traffic: rspan remote vlan Use this command to speci fy the RSP AN VLAN, switch role (source, i ntermediate or destination), an d the upli nk ports. Use the no form to disabl e the RSP AN on the specified VLAN. Syntax [ no ] rspan session s[...]

  • Page 472

    Command Line Interfa ce 4-184 4 switchport allowed vlan comman d (page 4-226). Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note th at the show vlan command (pag e 4-228) will not display an y members for an RSPAN VLAN, but will on ly show configured RSPAN VLAN iden tifiers. Example The following e xample enables RSP AN on VLAN[...]

  • Page 473

    Rate Limit Co mmands 4-185 4 Command Mode Privileged Exec Example Rate Limit Commands This function allows th e network manager t o control the maximum rate f or traffic received on an interface. Rate limiting i s configured on interfaces at the edge of a network to limit traff ic into or out of the network. T raffic th at falls withi n the rate li[...]

  • Page 474

    Command Line Interfa ce 4-186 4 Command Mode Interface Configuration (Ethernet, Port Channel) Example Power over Ethernet Commands The commands in this group control the power that can be delivered to att ached PoE devices through the swi tch ports. The switch’ s power management enable s total switch power and individual port power to be control[...]

  • Page 475

    Power over Ethernet Comma nds 4-187 4 Default Setting 375 watt s Command Mode Global Configurat ion Command Usage • Setting a maximum power budget f or the switch enables powe r to be centrally managed, preventing ove rload condition s at the power source. • If the power demand from de vices connected to the swit ch exceeds the power budget set[...]

  • Page 476

    Command Line Interfa ce 4-188 4 Example power inlin e This command instruct s the switch to automatically detect if a PoE-compliant devi ce is connected to the spec ified port, and turn power on or off accordi ngly . Use the no form to turn off power for a port. Syntax [ no ] power inline Default Setting Detection is enabl ed for PoE-compliant dev [...]

  • Page 477

    Power over Ethernet Comma nds 4-189 4 power inli ne maximum a llocation This command limit s the power allocated to spec ific port s. Use the no form to restore the default sett ing. Syntax power inline maximum allocation [ milliwatt s ] no power in line maximum allocation milliwatts - The maximum power budget for the port. (Range: 0 - 31000 milliw[...]

  • Page 478

    Command Line Interfa ce 4-190 4 Command Usage • If the power demand from devic es connected to the switch exceeds the power budget setting, the switch u ses port power priority settings to cont rol the supplied power. F or example: - A device connected to a low-priority port that causes the switch to exceed its budget is not suppli ed power. - A [...]

  • Page 479

    Power over Ethernet Comma nds 4-191 4 show power inline status This command displays the current power st atus for all ports or for specific ports. Syntax show power inline status [ interface ] interface ethernet • unit - Stack unit. (Range : 1) • port - Port number. (Range: 1-26) Command Mode Privileged Exec Example Console#show power inline s[...]

  • Page 480

    Command Line Interfa ce 4-192 4 show power mainpower Use this command to display the current power status for the switch. Command Mode Privileged Exec Example Address Table Commands These commands are used to configure the addres s table for filt ering specified addresses, displayi ng current entries, clearing the t able, or setting the aging time.[...]

  • Page 481

    Power over Ethernet Comma nds 4-193 4 mac-address-table static This command maps a static address to a destination port in a VLAN. Us e the no form to remove an address. Syntax mac-address-t able static mac-address interface interface vlan vlan-id [ ac tion ] no mac-address-t able static mac-addre ss vlan vlan-id • mac-address - MAC address. • [...]

  • Page 482

    Command Line Interfa ce 4-194 4 clear mac-address-table dynamic This command removes any learned entrie s from the forwarding dat abase and clears the transmit and receive count s for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example show mac-address-table This command shows classes of entrie s in th[...]

  • Page 483

    Power over Ethernet Comma nds 4-195 4 means to match a bit and “1” means to ignore a bit . For example, a mask of 00-00-00-00-00-00 mean s an exact ma tch, and a mas k of FF-FF-FF-FF-FF -FF means “any.” • The maximum number of address entries is 8191. Example mac-address-table aging-time This command sets th e aging time for entries in th[...]

  • Page 484

    Command Line Interfa ce 4-196 4 Spanning Tree Commands This section includes co mmands that configure the S panni ng T ree Algorithm (ST A) globally for the switch, and commands that configure ST A for the selected interface. T able 4-62 Spanning T ree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol GC 4-197 spa[...]

  • Page 485

    Spanning Tree Commands 4-197 4 spanning-tr ee This command enables the S panni ng T ree Algorithm globally for the switch. Use t he no form to disable it. Syntax [ no ] sp anning-tree Default Setting S panning tree is enabl ed. Command Mode Global Configurat ion Command Usage The S panning T ree Algorithm (ST A) can be used to dete ct and disable n[...]

  • Page 486

    Command Line Interfa ce 4-198 4 Command Usage • Spanning Tree Protoco l Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance f or the entire network. If mult iple VLANs are implemented on a netwo rk, the path between spec ific VLAN members may be inadvertently disabled to prevent network[...]

  • Page 487

    Spanning Tree Commands 4-199 4 Default Setting 15 seconds Command Mode Global Configurat ion Command Usage This command sets the maxi mum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay i s required because every device mu st receive inf ormation about topology changes befo[...]

  • Page 488

    Command Line Interfa ce 4-200 4 spanning-tr ee max-age This command configures the sp anning tree bridge maximum age globally for t his switch. Use the no form to restore the defaul t. Syntax sp anning-tree max-age second s no spanning-tree max-age seconds - T ime in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello[...]

  • Page 489

    Spanning Tree Commands 4-201 4 Default Setting 32768 Command Mode Global Configurat ion Command Usage Bridge priority is used in sel ecting the root de vice, root port, and desi gnated port. The device with the highest priority (i.e., lower numeric value) becomes the ST A root devic e. However , if all devices h ave the same priority , the device w[...]

  • Page 490

    Command Line Interfa ce 4-202 4 spanning-tree tran smission-limit This command configures the min imum interval between the t ransmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax sp anning-tree tr ansmission-l imit count no sp anning-tree tr ansmissi on-limit count - The transmission limit in seconds. (Range: 1[...]

  • Page 491

    Spanning Tree Commands 4-203 4 mst vlan This command adds VLANs t o a spann ing tree inst ance. Use the no form to remove the specified VLANs. Usin g the no form wit hout any VLAN p a rameters to remove all VLANs. Syntax [ no ] mst instance_ id vlan vlan-ra nge • instance_id - Instance ident ifier of th e spanning tr ee. (Range: 0-4094) • vlan-[...]

  • Page 492

    Command Line Interfa ce 4-204 4 Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridg e and alternate bri dge of the specified insta nce. The device with the highest priority (i. e., lowest numerical value) becomes the MSTI root device. Howev er, if all devices hav e the same priorit[...]

  • Page 493

    Spanning Tree Commands 4-205 4 revisi on This command confi gures the revisio n number for thi s multiple sp anning tree configurati on of this switch. Use the no form to restore th e default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST[...]

  • Page 494

    Command Line Interfa ce 4-206 4 bridge decrement s the hop count by one before p assing on the BPDU. When the hop count reaches zero, the message is dropped. Example spanning-tree sp anning-disabled This command disables the sp anning tree algorithm for the specified interf ace. Use the no form to reenabl e the spanning tree algorithm for t he spec[...]

  • Page 495

    Spanning Tree Commands 4-207 4 Default Setting By default, the syst em automatically detect s the speed and duplex mode used on each port, and confi gures the path cos t according to the values shown below . Path cost “0” is used to indi cate auto-configuration mode. When the short pat h cost method i s selected and the default path co st recom[...]

  • Page 496

    Command Line Interfa ce 4-208 4 spanning-tree po rt-priority This command configures the prio rity for the specified int erface. Use the no form to restore the default. Syntax sp anning-t ree port -priority pri ority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode In[...]

  • Page 497

    Spanning Tree Commands 4-209 4 devices such as workstations or servers, retai ns the current forwarding database to re duce the amount of frame floodin g required to re build address tables during reconfigurat ion events, does not cause the spanning tree to initiate reconfigu ration when the interface cha nges state, and also overcomes other STA-re[...]

  • Page 498

    Command Line Interfa ce 4-210 4 Related Commands spanning-t ree edge-port (4-208) spanning-tree lin k-type This command configures the li nk type for Rapid S panning T ree and Multiple S panning T ree. Use the no form to rest ore the default. Syntax sp anning-tree link-type { auto | point-to-point | shared } no spanning-tree link-type • auto - Au[...]

  • Page 499

    Spanning Tree Commands 4-211 4 spanning-tree mst co st This command configures the p ath cost on a spanning inst ance in the Multiple S panning T ree. Use the no form to restore the default. Syntax sp anning-tree mst inst ance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance ident ifier of th e spanning tr ee. (Range: 0[...]

  • Page 500

    Command Line Interfa ce 4-212 4 spanning-tree mst po rt-priority This command configures the in terface priority on a sp anning instance in the Multiple S panni ng T ree. Use the no form to restore the defaul t. Syntax sp anning-tree mst inst ance_id port-priority priority no sp anning-tree mst instance_i d port-priority • instance_id - Instance [...]

  • Page 501

    Spanning Tree Commands 4-213 4 Command Usage If at any time the switch dete cts STP BPDUs, including Configuration or T opology Change Notifi cation BPDUs, it wi ll automatical ly set the select ed interface to forced STP-compatible mode. However , you can also use the sp anning-tree prot ocol-mig ration comman d at any time to manual ly re-check t[...]

  • Page 502

    Command Line Interfa ce 4-214 4 Example Console#show spanning-tree Spanning-tree information --------------------------------------- ------------------------ Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enab led Instance: 0 VLANs Configuration: 1-40 94 Priority: 3276 8 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward[...]

  • Page 503

    VLAN Commands 4-215 4 show spanning-tree m st configuration This command shows the configurat ion of the multiple spanning tree. Command Mode Privileged Exec Example VLAN Commands A VLAN is a group of port s that can be located a nywhere in the net work, but communicate as though t hey belong to the same physical segment. This sectio n describes co[...]

  • Page 504

    Command Line Interfa ce 4-216 4 GVRP and Bridge Extension Commands GARP VLAN Registration Protoco l defines a way for switches to exchange VLAN information in order to automati cally register VLAN members on interfaces across the network. This section describ es how to enable GVRP for individual in terfaces and globally for the switch, as well as h[...]

  • Page 505

    VLAN Commands 4-217 4 show bridge-ext This command shows the configuratio n for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See "Displaying Basic VLAN Informat ion" on page 3-168 and "Displaying Bridge Extension Cap abilities" on page 3-15 for a description o f the displ ayed items.[...]

  • Page 506

    Command Line Interfa ce 4-218 4 show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp conf iguration [ int erface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) Default Setting Shows both global and interfa ce-specific [...]

  • Page 507

    VLAN Commands 4-219 4 Command Usage • Group Address Registration Protocol is use d by GVRP and GMRP to register or deregister client attri butes for client servi ces within a bridged LAN. The default values fo r the GARP timers are independen t of the media access method or da ta rate. These va lues should not be changed unless you are experienci[...]

  • Page 508

    Command Line Interfa ce 4-220 4 Related Commands garp timer (4-218) Editing VLAN Groups vlan database This command enters VLAN dat abase mode. All commands in this mode will take effec t immediately . Default Setting None Command Mode Global Configurat ion Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After [...]

  • Page 509

    VLAN Commands 4-221 4 vlan This command config ures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [ name vlan-name ] media ethernet [ st ate { active | suspend }] [ rspan ] no vlan vlan-id [ name | state ] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) • name - Keyword to be[...]

  • Page 510

    Command Line Interfa ce 4-222 4 Configuring VLAN Interfaces interface vlan This command enters interf ace configuration mode for VLANs, which is used to configur e VLAN parameters for a physical interface. Syntax interface vlan vlan-id vlan-id - ID of the configured VLAN. (R ange: 1-4094, no leadin g zeroes) Default Setting None Command Mode Global[...]

  • Page 511

    VLAN Commands 4-223 4 switchport mode This command confi gures the VLAN me mbership mode for a port. Use the no form to restore the de fault. Syntax switchport mode { access | hybrid | trunk | private-vlan } no switchport mode • access - Specifies an acce ss VLAN interface. The port transmits and receives untagged frames only. • trunk - Specifi[...]

  • Page 512

    Command Line Interfa ce 4-224 4 switchport acceptable-frame-types This command confi gures the accept able frame types for a po rt. Use the no fo rm to restore the default. Syntax switchport accept able-frame-types { all | ta g g e d } no switchport accept a ble-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The[...]

  • Page 513

    VLAN Commands 4-225 4 • If ingress filtering is disabled and a port receives fra mes tagged for VLANs for which it is not a member, these frames wil l be flooded to all other ports (except for those VLANs explicitly fo rbidden on this port). • If ingress filteri ng is enabled and a port recei ves frames tagged for VLANs for which it is not a me[...]

  • Page 514

    Command Line Interfa ce 4-226 4 switchport allowed vlan This command confi gures VLAN group s on the selected interface. Use the no form to restore the de fault. Syntax switchport allowed vlan { add vlan-list [ tag g e d | unt a gged ] | remove vlan-list } no switch port allow ed vlan • add vlan-list - List of VLAN identifi ers to add. • remove[...]

  • Page 515

    VLAN Commands 4-227 4 switchport forbidden vlan This command confi gures forbidden VLANs. Use the no form to remove th e list of forbidden VLANs. Syntax switchport forbidden vlan { add vlan-list | remove vlan-list } no switchport forbidden vl an • add vlan-list - List of VLAN identifi ers to add. • remove vlan-list - List of VLAN identi fiers t[...]

  • Page 516

    Command Line Interfa ce 4-228 4 Displaying VLAN Information show vlan This command shows VLAN information. Syntax show vlan [ id vlan-id | name vlan-name | priv ate-vlan private-vlan -type ] • id - Keyword to be followed by t he VLAN ID. vlan-id - ID of the configured VL AN. (Range: 1-4094, no leading zeroes ) • name - Keyword to be followed by[...]

  • Page 517

    VLAN Commands 4-229 4 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tun neling) uses a single Servic e Provider VLAN (SPVLAN) for customers who have multiple VLANs. Custome r VLAN IDs are preserved and tr affic from dif ferent custome rs is segregate d within the service provider’s network even when they use the same cu stomer-spe[...]

  • Page 518

    Command Line Interfa ce 4-230 4 reconfigured to overcome a break in the tree. It is therefo re advisable to disable spanning tree on these port s. dot1q-tunnel syst em-tunnel-control This command set s the switch to operate i n QinQ mode. Use the no form to di sable QinQ operating mod e. Syntax [ no ] dot1q-tunnel system-tu nnel-control Default Set[...]

  • Page 519

    VLAN Commands 4-231 4 • When a tunnel uplink port receives a packet fro m a customer, the customer tag (regardless of whether t here are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag . • When a tunnel uplink port receives a packet fro m the service provider, the outer service provi[...]

  • Page 520

    Command Line Interfa ce 4-232 4 Example Related Commands show interfaces switchport (4-165) show dot1q-tunnel This command displays info rmation about Qin Q tunnel ports. Command Mode Privileged Exec Example Related Commands switchport dot1q-tunnel mode (4-230) Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9[...]

  • Page 521

    VLAN Commands 4-233 4 Configuring Port-based Traffic Segmentation If tighter secu rity is required for passi ng traff ic from dif ferent clients throu gh downlink ports on the lo cal network and over uplink por t s to the service provider , port-based traff ic segment ation can be used to isolat e traffi c for individu al clients . Local traf fic b[...]

  • Page 522

    Command Line Interfa ce 4-234 4 Example pvlan up-l ink/down-lin k This command confi gures uplink/downl ink ports for traf fic-segment ation client sessions. Use the no form to restore a port to normal operating mode. Syntax pvlan [ up-link interface-lis t do wn-link interface-list ] no pvlan • up-link - Specifies an uplink interface. • down-li[...]

  • Page 523

    VLAN Commands 4-235 4 Example Configuring Private VLANs Private VLANs provide port-based securi ty and isolation of local ports con tained within dif f erent private VLAN group s. This switch supports two types of private VLANs – primary and community group s. A primary VLAN contai ns promiscuous ports that can communi cate with all other port s [...]

  • Page 524

    Command Line Interfa ce 4-236 4 T o configure primary/community assoc i ated group s, follow these step s: 1. Use the private-vlan command to desi gnate one or more community VLANs and the primary VLAN that will chan nel traf fic outside of the community group s. 2. Use the private-vlan association command to map the communit y VLAN(s) to the prima[...]

  • Page 525

    VLAN Commands 4-237 4 Example private vlan associa tion Use this command to associate a primary VLAN with a secondary (i.e., c ommunity) VLAN. Use the no form to remove all associations for t he specified primary VL AN. Syntax private-vl an primary-vlan-id association { sec ondary-vlan -id | add secondary-vlan-id | remove secondary-vlan-id } no pri[...]

  • Page 526

    Command Line Interfa ce 4-238 4 switchport mode private-vlan Use this command to set the private VLAN mode for an interf ace. Use the no form to restore the default sett ing. Syntax switchport mode private-vlan { host | promiscuous } no switchport mo de private-vlan • host – This port type can subsequent ly be assig ned to a communit y VLAN. ?[...]

  • Page 527

    VLAN Commands 4-239 4 Command Usage All ports assi gned to a secondary (i.e., communi ty) VLAN can pa ss traffi c between group members, but must commu nicate with resources out side of the group via promiscuous ports in the associat ed primary VLAN. Example switchport privat e-vlan mapping Use this command to map an interface t o a primary VLAN. U[...]

  • Page 528

    Command Line Interfa ce 4-240 4 Default Setting None Command Mode Privileged Executive Example Configuring Protocol-based VLANs The network devices required to support mu lti ple protocols canno t be easily g rouped into a common VLAN. This may require non -stan dard devices to pass traff ic between dif ferent VLANs in order to encompa ss all the d[...]

  • Page 529

    VLAN Commands 4-241 4 Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivi ty to the switch. If lost in this manner, network access can be regained by removing the of fendin g Protocol VLAN rule via the console. Alternately, the switch c an be po wer-cycled, however all unsaved configuration changes[...]

  • Page 530

    Command Line Interfa ce 4-242 4 Default Setting No protocol group s are mapped for any interface. Command Mode Interface Co nfigurati on (Ethernet, Po rt Channel) Command Usage • When creating a protocol-b ased VLAN, only as sign interfa ces via this command. If you assign in terfaces usin g any of the other VLAN commands (such as vlan o n page 4[...]

  • Page 531

    VLAN Commands 4-243 4 Example This shows protocol group 1 configu red for IP over Ethernet: show interfaces protoc ol-vlan protocol-g roup This command shows the mapping f rom protocol g roups to VLANs for the sel ected interface s. Syntax show interfaces protoc ol-vlan protocol-group [ interface ] interface • ethernet unit / port - unit - Stack [...]

  • Page 532

    Command Line Interfa ce 4-244 4 Class of Service Commands The commands described in this secti on allow you to specify which data packe ts have greater precedence when traf fic is bu ffered in the switch due to congestion. This switch support s CoS with four priorit y queues for each port. Data p ackets in a port’s hi gh-priority queue wi ll be t[...]

  • Page 533

    Class of Service Co mmands 4-245 4 queue mode This command sets th e queue mode to strict priori ty or Wei ghted Round-Robin (WRR) for the class of service (CoS) priorit y queues. Use the no form to restore the default value. Syntax queue mode { stric t | wrr } no queue mode • strict - Services the egre ss queues in sequenti al order, transmittin[...]

  • Page 534

    Command Line Interfa ce 4-246 4 Default Setting The priority is not set, and the default value for untagged frame s received on the interface is zero. Command Mode Interface Co nfigurati on (Ethernet, Po rt Channel) Command Usage • The precedence for priority mappin g is IP Port, IP Precedence or IP DSCP, and default switchp ort priority. • The[...]

  • Page 535

    Class of Service Co mmands 4-247 4 Default Setting Weight s 1, 2, 4, 8 are assigned to queues 0-3 respectively . Command Mode Interface Co nfiguration (Et hernet, Port Channel) Command Usage • WRR controls bandwidth sharing at th e egress port by defining schedul ing weights. • WRR uses a relative weight for each queue which determines the n u [...]

  • Page 536

    Command Line Interfa ce 4-248 4 Default Setting This switch support s Class of Service by using four priori ty queues, with Weight ed Round Robin queuing f or each port. Eight sep arate traf fic classes are defined in IEEE 802.1p. The default priority levels are assigne d according to recommendations in the IEEE 802.1p sta ndard as shown below . Co[...]

  • Page 537

    Class of Service Co mmands 4-249 4 show queue bandwidth This command displays the we ighted round-robin (WRR) bandwi dth alloca tion for the four priori ty queues. Default Setting None Command Mode Privileged Exec Example show queue cos-map This command shows the class of service priorit y map. Syntax show queue cos-map [ interfac e ] interface •[...]

  • Page 538

    Command Line Interfa ce 4-250 4 Priority Commands (Layer 3 and 4) map ip port (Global Configuration) This command enables IP port mapping (i .e., class of service mapping f or TCP/UDP sockets). Use th e no form to disable IP port mapping. Syntax [ no ] map ip po rt Default Setting Disabled Command Mode Global Configurat ion Command Usage The preced[...]

  • Page 539

    Class of Service Co mmands 4-251 4 map ip port (Interface Configuration) This command sets IP port pri ority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port -number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number. (Range: 0-65535) • cos-value - Class-of-Ser[...]

  • Page 540

    Command Line Interfa ce 4-252 4 Example The following example shows how to en able IP precedence mapping gl obally: map ip precedence (Interface Config uration) This command sets IP preced ence priority (i.e., IP T ype of Service priority). Use the no form to restore the def ault t able. Syntax map ip preceden ce ip-precedence-value cos co s-value [...]

  • Page 541

    Class of Service Co mmands 4-253 4 Default Setting Disabled Command Mode Global Configurat ion Command Usage The precedence for priority mapping i s IP DSCP , and default switchport priority . Example The following example shows how to en able IP DSCP mapping globally: map ip dscp (Interface Configuration) This command sets IP DSCP priori ty (i.e.,[...]

  • Page 542

    Command Line Interfa ce 4-254 4 Command Usage • The precedence for priority mappin g is IP DSCP, and default switchp ort priority. • DSCP priority valu es are mapped to def ault Class of Service val ues according to recommendations in t he IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command [...]

  • Page 543

    Class of Service Co mmands 4-255 4 show map ip precedence This command shows the IP precedence priorit y map. Syntax show map ip precedence [ inte rface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) Command Mode Privileged Exec Example Related [...]

  • Page 544

    Command Line Interfa ce 4-256 4 Command Mode Privileged Exec Example Related Commands map ip dscp (Global Conf iguration) (4-252) map ip dscp (Interface Config uration) (4-253) Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . . Eth 1/ 1 61 0 [...]

  • Page 545

    Quality of Service Co mmands 4-257 4 Quality of Service Commands The commands described in this sect ion are used to configure Dif ferentiated Services (Dif fServ) classificatio n criteria and service polici es. Y ou can classify traffic based on access list s, IP Precedence or DSCP values, or VLANs. Using access li sts allows you select t raffic b[...]

  • Page 546

    Command Line Interfa ce 4-258 4 5. Use the set command to modify the QoS value for matc hing traf fic class, and use the policer co mmand to monitor the averag e flow and burst rate, and drop any traff ic that exceeds the sp ecified rate, or just re duce the DSCP service level for traff ic exceeding the specif ied rate. 6. Use the service-policy co[...]

  • Page 547

    Quality of Service Co mmands 4-259 4 match This command defines the criteria used to classify traf fic. Use the no form to delete the matching criteria. Syntax [ no ] match { access-list acl-name | ip dsc p dscp | ip precedence ip-precedence | vlan vlan } • acl-name - Name of the access cont rol list. Any type of ACL can be specified, includi ng [...]

  • Page 548

    Command Line Interfa ce 4-260 4 rename This command redefines the name of a class map or policy map. Syntax rename map-na me map-name - Name of the class map or policy map. (Range: 1-16 characters) Command Mode Class Map Configuration Policy Map Configuration Example description This command specif ies the d escription of a class map or policy map.[...]

  • Page 549

    Quality of Service Co mmands 4-261 4 policy-map This command creates a pol icy map that can be att ached to multiple interfaces, and enters Policy Map con figuration mode. Us e the no form to delete a policy map and return to Global configurat ion mode. Syntax [ no ] policy-map policy-map-name policy-map-name - Name of the policy map. (Range: 1-16 [...]

  • Page 550

    Command Line Interfa ce 4-262 4 Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode . Then use the class command to enter Policy Map Class configurati on mode. And finally, use the set and police commands to specify the match criteria, where the: - set co[...]

  • Page 551

    Quality of Service Co mmands 4-263 4 incoming p ackets wi ll receive, and then uses t he police command to limit the average bandwid th to 100,000 Kbps, the burst rate to 15 22 bytes, and configure t he response to drop any violating p ackets. police This command defines an poli cer for classified traf fic. Use the no form to re move a policer . Sy[...]

  • Page 552

    Command Line Interfa ce 4-264 4 service-policy This command appli es a policy map defined b y the policy -map command to the ingress queue of a p articular interface. Use the no form to remove the p olicy map from this interface. Syntax [ no ] service-policy input policy-map-name • input - Apply to the input traffi c. • policy-map-name - Name o[...]

  • Page 553

    Quality of Service Co mmands 4-265 4 Example show policy-map This command displays the QoS pol icy maps wh ich define classifi cation criteria for incoming traf fic, and may include policers for bandwi dth limit ations. Syntax show policy-map [ policy-map-name [ class class-map-name ]] • policy-map-name - Name of the policy map. (Range: 1-16 char[...]

  • Page 554

    Command Line Interfa ce 4-266 4 Command Mode Privileged Exec Example Multicast Filtering Commands This switch uses IGMP (I nternet Grou p Manage ment Protocol) to query for any attache d hosts tha t want to receive a specif ic multicast servi ce. It identif ies the port s contain ing hosts requesting a se rvice and sends d ata out to those port s o[...]

  • Page 555

    Multicast Filter ing Commands 4-267 4 ip igmp snoopi ng This command enables IGMP sno oping on this swit ch. Use the no form to disable it. Syntax [ no ] ip igmp snooping Default Setting Enabled Command Mode Global Configurat ion Example The following example enab les IGMP snooping. ip igmp snoopi ng vlan static This command adds a port to a multic[...]

  • Page 556

    Command Line Interfa ce 4-268 4 ip igmp snoo ping ver sion This command confi gures the IGMP snoop ing version. Use the no form to restore the default. Syntax ip igmp snoopi ng version { 1 | 2 } no ip igmp snoo ping versio n • 1 - IGMP Version 1 • 2 - IGMP Version 2 Default Setting IGMP V ersion 2 Command Mode Global Configurat ion Command Usag[...]

  • Page 557

    Multicast Filter ing Commands 4-269 4 • The IGMP snooping leave-proxy fea ture suppresses all unnecessary I GMP leave messages s o that the non-querier swit ch forwards an I GMP leave packet only whe n the last d ynamic member port l eaves a mult icast group. • The leave-proxy f eature does not func tion when a switch is s et as the querier. ?[...]

  • Page 558

    Command Line Interfa ce 4-270 4 Example The following s hows how to enable immediate leav e. show ip igmp snoo ping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See "Configuring I GMP Snooping and Query Para meters" on p age 3-210 for a description of the displayed ite[...]

  • Page 559

    Multicast Filter ing Commands 4-271 4 Command Mode Privileged Exec Command Usage Member types displayed i nclude IGMP or USER, depending on selected options. Example The following s hows the multica st entries l earned thro ugh IGMP snooping f or VLAN 1: IGMP Query Commands (Layer 2) This section de scribes commands u sed to config ure Layer 2 IGMP[...]

  • Page 560

    Command Line Interfa ce 4-272 4 Command Usage • IGMP snooping querier is not support ed for IGMPv3 snooping (see ip igmp snooping v ersion , page 4-268). • If enabled, the switch wil l serve as querier if elected. The querier is responsible for asking ho sts if they want to receive multicast traffic. Example ip igmp snoopi ng query-count This c[...]

  • Page 561

    Multicast Filter ing Commands 4-273 4 ip igmp snoopi ng query-interv al This command configures the que ry interval. Use the no fo rm to restore the defau lt. Syntax ip igmp snoopi ng query-int erval seconds no ip igmp snoo ping query-int erval seconds - The frequency at which the switch send s IGMP host-query messages. (Range: 60-125) Default Sett[...]

  • Page 562

    Command Line Interfa ce 4-274 4 Example The following s hows how to confi gure the maximum res ponse time to 20 seconds: Related Commands ip igmp snooping version (4-268) ip igmp snoopi ng ro uter-port-expire-time This command configures the que ry timeout. Use the no form to restore the default. Syntax ip igmp snoopi ng router-p ort-expire- time s[...]

  • Page 563

    Multicast Filter ing Commands 4-275 4 Static Multicast Routing Commands This section de scribes commands u sed to config ure stati c multicast rout ing on th e switch. ip igmp snoopi ng vlan mrouter This command stat ically configures a multic ast router port. Use the no form to remove t he config uration. Syntax [ no ] ip igmp snooping vlan vlan-i[...]

  • Page 564

    Command Line Interfa ce 4-276 4 show ip igmp snoo ping mrouter This command displays i nformation on st atically configured and dynamically l earned multicast router port s. Syntax show ip igmp snoo ping mrouter [ vlan vlan-id ] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router port s for all configured VLANs. Command Mode[...]

  • Page 565

    Multicast Filter ing Commands 4-277 4 IGMP Filtering and Throttling Commands In cert ain switch appl ications, the a dministrator may want to control the multicast services that are avai lable to end users. Fo r example, an IP/TV servic e based on a specific subscri ption plan. The IGMP f iltering feature fu lfills this requirement by restricting a[...]

  • Page 566

    Command Line Interfa ce 4-278 4 • The IGMP filtering feature operate s in the same manner when MVR is used to forward multicas t traffic. Example ip igmp profile This command creates an IGMP filt er profile number and ente rs IGMP profile configurati on mode. Use the no form to delete a profile nu mber . Syntax [no] ip igmp pr ofile pr ofile-numb[...]

  • Page 567

    Multicast Filter ing Commands 4-279 4 • When the access mode is set to pe rmit, IGMP join re ports are processed when a multicast group fal ls within the contro lled range. When the access mode is set to deny, IGMP joi n reports are only processed when a mult icast group is not in the controlled range. Example range This command specifies mult ic[...]

  • Page 568

    Command Line Interfa ce 4-280 4 Command Mode Interface Configur ation Command Usage • The IGM P filtering pr ofile mu st first be crea ted with the ip igmp profi le command before being able t o assign it to an interfac e. • Only one profile can be assig ned to an interface. • A profile can also be a ssigned to a trunk interface. When ports a[...]

  • Page 569

    Multicast Filter ing Commands 4-281 4 Example ip igmp max-grou ps action This command sets th e IGMP throttling action f or an interface on the switch. Syntax ip igmp max-g roups action { replace | deny } • replace - The new multicast group replaces an existing group. • deny - The new multicast group join report is dropp ed. Default Setting Den[...]

  • Page 570

    Command Line Interfa ce 4-282 4 Command Mode Privileged Exec Example show ip igmp p rofile This command displays IGMP filterin g profiles created on the swi tch. Syntax show ip igmp profil e [ profile-numbe r ] profile-number - An existing IGMP filter profile number . (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example C[...]

  • Page 571

    Multicast Filter ing Commands 4-283 4 show ip igmp throttl e interface This command displays the interf ace settings for IGMP throttling. Syntax show ip igmp throttl e interface [ interface ] interface • ethernet unit / port - unit - Stack unit. (Range : 1) - port - Port number. (Range: 1-26/50) • port-cha nnel channel-id (Range: 1-32) Default [...]

  • Page 572

    Command Line Interfa ce 4-284 4 Multicast VLAN Registration Commands This section de scribes commands u sed to config ure Multicast VLAN Registration (MVR). A single ne twork-wide VLAN can be u sed to transmi t multicast traffi c (such as televisio n channels) acros s a service pro vider ’s network. Any mul t icast tra ffic entering an MVR VLAN i[...]

  • Page 573

    Multicast Filter ing Commands 4-285 4 Command Mode Global Configurat ion Command Usage • Use the mvr group command to st atically config ure all multicast group addresses that wil l join the MVR VLAN. Any multica st data associated an MVR group is sent from all sourc e ports, and to all recei ver ports that have registered to receive data from th[...]

  • Page 574

    Command Line Interfa ce 4-286 4 mvr (Interface Configuration) This command configures an int erface as an MVR receiver or source port us ing the type keyword, enables immediate l eave capabil ity using the immediate keywor d, or configures an int erface as a stati c member of the MVR VLAN using the group keyword. Use the no form to restore th e def[...]

  • Page 575

    Multicast Filter ing Commands 4-287 4 • Immediate leave appl ies only to receiver ports. Whe n enabled, the receiver port is immediately remov ed from the multicast group id entified in the leave message. When immediat e leave is disabl ed, the switch fol lows the standard rules by sending a group-speci fic query to the receive r port and waiting[...]

  • Page 576

    Command Line Interfa ce 4-288 4 Default Setting Displays global config uration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the gl obal settings for MVR. Use the interfa ce keyword to displ ay information about int erfaces attache d to the MVR VLAN. Or use [...]

  • Page 577

    Multicast Filter ing Commands 4-289 4 The following s hows information a bout the int erfaces associa ted with mult icast groups assigne d to the MVR VLAN: Status Shows the MVR status and interface status. MVR status for sourc e ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiv er ports is “ACTIVE” only if th[...]

  • Page 578

    Command Line Interfa ce 4-290 4 Domain Name Service Commands These commands are used to configure Domain Na ming System (DNS) services. Entries can be manual ly configured in the DNS domain name to IP address mapp ing table, default domain names conf igured, or one or more name servers speci fied to use for domain name to address translat ion. Note[...]

  • Page 579

    Domain Name Service Co mmands 4-291 4 Command Usage Servers or other network devices may support one or more connections via multiple IP addre sses. If more than one IP ad dress is associated with a hos t name using this command, a DNS client can try each addre ss in succession, until it est ablishes a connection with the t arget device. Example Th[...]

  • Page 580

    Command Line Interfa ce 4-292 4 Default Setting None Command Mode Global Configurat ion Example Related Commands ip domain-list (4-292) ip name-server (4-293) ip domain-lookup (4-2 94) ip domain-list This command defines a list of domain names that can be appende d to incomplete host names (i.e., hos t names passed fr om a client that are not forma[...]

  • Page 581

    Domain Name Service Co mmands 4-293 4 Example This example adds two domain names to the current list and then dis plays the list. Related Commands ip domain-name (4-2 91) ip name-server This command specifies the address of one or more domai n name servers to use for name-to-address reso lution. Use the no form to remove a name server from this lis[...]

  • Page 582

    Command Line Interfa ce 4-294 4 Example This example adds two domain-name serve rs to the list and then displays the list. Related Commands ip domain-name (4-2 91) ip domain-lookup (4-2 94) ip domain-looku p This command enables DNS ho st name-to-address transl ation. Use the no form to disable DNS. Syntax [ no ] ip doma in-lookup Default Setting D[...]

  • Page 583

    Domain Name Service Co mmands 4-295 4 Related Commands ip domain-name (4-2 91) ip name-server (4-293) show hosts This command displays the st atic host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously con figured entry . sh[...]

  • Page 584

    Command Line Interfa ce 4-296 4 show dns cache This command displays entrie s in the DNS cache. Command Mode Privileged Exec Example clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE DOMAI N TTL IP 0 4 Address www.t imes.com 198 199.239.136.200 1 4 Address a111[...]

  • Page 585

    IP Interface Commands 4-297 4 IP Interface Commands An IP addresses may be used for manage ment access to the switch over y our network. The IP address for th is switch is obtained via DHCP by default. Y ou can manually configure a spe cific IP address, or direct the dev ice to obtai n an address from a BOOTP or DHCP server when it is powered on. Y[...]

  • Page 586

    Command Line Interfa ce 4-298 4 • If you select the bootp or dh cp option, IP i s enabled but will not fun ction until a BOOTP or DHCP reply has been rece ived. Requests will be br oadcast periodically b y this device in an effort t o learn its IP address. (BOOTP and DHCP values can include t he IP address, defaul t gateway, a nd subnet mask). ?[...]

  • Page 587

    IP Interface Commands 4-299 4 Related Commands show ip redirect s (4-300) ip dhcp restart This command submit s a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has bee n set to BOOTP or DHCP mod e via the ip addres s comm[...]

  • Page 588

    Command Line Interfa ce 4-300 4 Related Commands show ip redirect s (4-300) show ip re directs This command shows the default gateway configu red for this device. Default Setting None Command Mode Privileged Exec Example Related Commands ip default-g ateway (4-2 98) ping This command sends ICMP echo reques t packet s to another node on th e network[...]

  • Page 589

    IP Interface Commands 4-301 4 • Press <Esc> to stop pinging. Example Related Commands interface (4-155) Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics fo[...]

  • Page 590

    Command Line Interfa ce 4-302 4[...]

  • Page 591

    A-1 Appendix A: Software Specifications Software Features Authentication an d General Security Mea sures Local, RADIUS, T ACACS, Port (802.1X, MA C A uthentication), AAA, HT TPS, SSH, Port Security , IP Filt er , DHCP Snooping, IP Source Guard Access Control List s 128 ACLS (96 MAC rules, 96 IP rules) DHCP Client Port Configuration 100BASE-TX: 10/1[...]

  • Page 592

    Software Specifications A-2 A Multicas t Filterin g IGMP Snooping (Layer 2) Multicast VLAN Reg istration Quality of Service DiffServ supp orts class map s, policy map s, and service policies Additional Featu r es BOOTP client SNTP (Simple Network T ime Protocol) SNMP (Simple Network Ma nagement Protocol) RMON (Remote Monitoring, group s 1,2,3,9) SM[...]

  • Page 593

    Management Inform ation Bases A-3 A DHCP Client (RFC 2131) DHCP Options (RFC 2132) HTTPS IGMP (RFC 1 1 12) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - p artial support RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1 157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 341 1, 3414, 3415) SNTP (RFC 2030) SSH (V ersion 2.0) TELNET (RFC 8[...]

  • Page 594

    Software Specifications A-4 A SNMP View Based ACM MIB (RFC 3415) T ACACS+ Authentica tion Client MIB TCP MIB (RFC 2013) T rap (RFC 1215) UDP MIB (RFC 2013)[...]

  • Page 595

    B-1 Appendix B: Troubleshooting Problems Accessing the Mana gement Interface T able B-1 T roubleshooting Chart Symptom Action Cannot connect us ing T elnet, web browser , or SNMP software • Be sure the switch is powered up. • Check network cabling between the management s tation and the switch. • Check that you have a valid network connect io[...]

  • Page 596

    T roubleshooting B-2 B Using System Logs If a fault does occur , refer to the Ins tallati on Guide to ensure that t he problem you encountered is actual ly caused by the switch. If the prob lem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to incl ude all categories. 3. Designate the S[...]

  • Page 597

    Glossary-1 Glossary Access Control List (ACL) ACLs can limit netwo rk traffic and restrict access to cert ain users or devices by checking each p acket for certai n IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide boot up informati on for network devices, in cluding IP address informati on, the address of the TF[...]

  • Page 598

    Glossary Glossary-2 DHCP Snooping A technique used to enhance network security by snooping on DHCP server messages to track the physi cal location of host s, ensure that hosts only use the IP addresses assigned to the m, and ensure that only autho rized DHCP servers are accessible. Extensible Authentication Proto col over LAN (E APOL) EAPOL is a cl[...]

  • Page 599

    Glossary-3 Glossary IEEE 802.1p An IEEE standard for prov iding quality of service (QoS) in Ethern et networks. The standard uses p acket tags that define up to eight traf fic classes and allows switches to transmit p ackets based on th e tagged priorit y value. IEEE 802.1s An IEEE standard for t he Multiple S pannin g T ree Protocol (MSTP) which p[...]

  • Page 600

    Glossary Glossary-4 IP Multicast Filtering A process whereby this switch can p ass multicast traffic al ong to partici pating host s. IP Precedence The T ype of Service (T oS) octet in the IPv4 header includes th ree precedence bit s defining eight di ffer ent priority levels rangi ng from highest prio rity for network control packet s to lowest pr[...]

  • Page 601

    Glossary-5 Glossary Multiple Span ning Tree Pr otocol (MSTP) MSTP can provide an independent sp anning tree for different VLANs. It simpli fies network management, pro vides for even fa ster convergence t han RSTP by limiting the size of each regi on, and prevents VL AN members from being segmented fr om the rest of the group. Network Time Protocol[...]

  • Page 602

    Glossary Glossary-6 Remote Monitoring (RMON) RMON provides comprehensi ve network monitorin g capabilit ies. It eliminat es the polling requi red in st andard SNMP , and can se t alarms on a v ariety of tr affic conditions, in cluding specific error types. Remote Switched Port Analyzer (RSPN) RSP AN can be used to mirror traf fic from remote switch[...]

  • Page 603

    Glossary-7 Glossary Transmissi on Contr ol Prot ocol/Internet Protocol (TCP/IP) Protocol suite that i ncludes TCP as the primary transport prot ocol, and IP as the network layer protocol. Trivial Fi le Transfer Pr otocol (TFTP) A TCP/IP protocol co mmonly used for so ftware downlo ads. User Datagram Protocol (UDP) UDP provides a dat agram mode for [...]

  • Page 604

    Glossary Glossary-8[...]

  • Page 605

    Index-1 Numerics 802.1Q tunnel 3 -178, 4-229 access 3-183, 4 -230 configuration, guideline s 3-181 configuration, limitation s 3-180 description 3-1 78 ethernet type 3-182, 4-231 interface configurat ion 3-182, 4-230–4-231 mode selection 3-183, 4-230 status, configuring 3-181, 4-230 TPID 3-182, 4-231 uplink 3-183, 4 -230 802.1X port authenticat i[...]

  • Page 606

    Index-2 Index D default gateway, configuration 3 -16, 4-298 default priority , ingress port 3-189, 4-245 default settings, system 1-6 DHCP 3-18, 4-297 client 3-16, 4 -297 dynamic config uration 2-5 DHCP snooping enabling 3-102, 4-132 global configuratio n 3-102, 4-132 information op tion 3-104, 4 -136 information op tion policy 3-104 , 4-137 inform[...]

  • Page 607

    Index-3 Index IGMP filter profile s, configuratio n 3-219, 4-277 filter, parameters 3-219, 4-277 filtering & th rottling, cr eating profile 3-218, 4-278 filtering & throt tling, enabling 3 -218, 4-277 filtering & thro ttling, interf ace configuration 3-221, 4-279 filtering & thrott ling, status 3- 218, 4-277 filtering a nd throttlin[...]

  • Page 608

    Index-4 Index MSTP 3-158, 4-197 configuring 3 -158, 4-202–4 -213 global settings, con f iguring 3-147, 3-158, 4-196, 4-203–4-2 0 5 global setting s, displaying 3-144, 4-213 interface setting s, configuring 3-154, 3-163, 4-196 interface settings, displaying 3-161 , 4-213 path cost 3-1 63, 4-211 multicast fil tering 3-208, 4-266 multicast groups [...]

  • Page 609

    Index-5 Index problems, troublesho oting B-1 profiles, IGMP filter 3-219, 4-278 promiscuous ports 4-235 protocol migration 3-156, 4-212 protocol VLANs 3-185, 4-240 configur ing 3-18 6, 4-241 interface configurat ion 3-187, 4-241 system configura tion 3-187, 4-241 public key 3-75, 4-103 PVID, port native VLAN 3-17 6, 4-225 PVLAN association 4-237 co[...]

  • Page 610

    Index-6 Index STA 3-142, 4-196 edge port 3-153, 3-156, 4-208 global settings, con f iguring 3-147, 4-197–4-202 global setting s, displaying 3-144, 4-213 interface setting s, configuring 3-154, 4-206–4-212 interface settings, displaying 3-151 , 4-213 link type 3-153, 3-156, 4-210 MSTP path cost 3-163, 4-211 MSTP settings, c onfiguring 3-163, 4-2[...]

  • Page 611

    Index-7 Index V VLANs 3-164, 3- 185, 3-189, 4 -215, 4-228 802.1Q tunnel mode 3-183, 4-230 adding static members 3-173, 3-175, 4-226 creating 3-170, 4-221 description 3-1 64, 3-189 displaying basic i nformation 3-168, 4-217 displaying port members 3 -169, 4-228 egress mode 3-177, 4-223 interface configurat ion 3-176, 4-224–4-227 private 3-184, 4-2[...]

  • Page 612

    Index-8 Index[...]

  • Page 613

    [...]

  • Page 614

    149100000023A R01 SMC812 6PL2 -F[...]