Go to page of
Similar user manuals
-
Switch
Accton Technology 24/48-Port
588 pages 5.87 mb -
Switch
Accton Technology VS4512DC
334 pages 4.83 mb -
Switch
Accton Technology VM2548
72 pages 1.89 mb -
Switch
Accton Technology EH1502S
9 pages 0.31 mb -
Switch
Accton Technology EH2045S
8 pages 0.06 mb -
Switch
Accton Technology ES4548C
426 pages 7.39 mb -
Switch
Accton Technology ES4626
523 pages 6.83 mb -
Switch
Accton Technology ES4524D
588 pages 5.87 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of Accton Technology ES4524C, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Accton Technology ES4524C one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of Accton Technology ES4524C. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of Accton Technology ES4524C should contain:
- informations concerning technical data of Accton Technology ES4524C
- name of the manufacturer and a year of construction of the Accton Technology ES4524C item
- rules of operation, control and maintenance of the Accton Technology ES4524C item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Accton Technology ES4524C alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Accton Technology ES4524C, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Accton Technology service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Accton Technology ES4524C.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the Accton Technology ES4524C item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
www .edge-core.com Management Guide P owered by Accton ES4512C ES4524C ES4548C 12/24/48-Port Gigabit Intelligent Switch[...]
-
Page 2
[...]
-
Page 3
Installation Guide ES4512C 12-Port Gigabi t Intelligent Switch Layer 2 Workgroup Switch with 12 1000BASE-T (RJ-45) Ports, and 4 Combin ation (RJ-45 /SFP) Ports ES4524C 24-Port Gigabi t Intelligent Switch Layer 2 Workgroup Switch with 24 1000BASE-T (RJ-45) Ports, and 4 Combin ation (RJ-45 /SFP) Ports ES4548C 48-Port Gigabi t Intelligent Switch Layer[...]
-
Page 4
ES4512C ES4524C ES4548C E052005-R02[...]
-
Page 5
i Contents Chapter 1: Intr oduction 1- 1 Key Features 1-1 Description of Software Features 1-2 System Defaults 1-5 Chapter 2: Initial Configuratio n 2-1 Connecting to the Switch 2-1 Configuration Options 2-1 Required Connections 2-2 Remote Connections 2-3 Basic Configuration 2-3 Console Connection 2-3 Setting Passwords 2-4 Setting an IP Address 2-4[...]
-
Page 6
Contents ii System Log Configuration 3-19 Remote Log Configuration 3-20 Displaying Log Message s 3-22 Sending Simple Mail Transfer Protocol Alerts 3-23 Resetting the System 3-25 Setting the System Clock 3-26 Configuring SNTP 3-26 Setting the Time Zone 3-27 Simple Network Managemen t Protocol 3-28 Setting Community Access Strings 3-28 Specifying Tra[...]
-
Page 7
Contents iii Displaying LACP Settings and Status for the Local Side 3-77 Displaying LACP Settings and Status for the Remote Side 3-79 Setting Broadcast Storm Threshol ds 3-80 Configuring Port Mi rroring 3-82 Configuring Rate Limits 3-83 Showing Port Statistics 3-84 Address Table Settings 3-88 Setting Static Addresses 3-88 Displaying the Address T a[...]
-
Page 8
Contents iv Mapping CoS Values to ACLs 3-136 Changing Priorities Based on ACL Rules 3-137 Multicast Filtering 3-139 Layer 2 IGMP (Snooping and Query) 3-139 Configuring IGMP Snoopin g and Query Parameters 3-140 Displaying Interfaces Attached to a Multicast Router 3-142 Specifying Static Interfaces for a Multicast Router 3-143 Displaying Port Members[...]
-
Page 9
Contents v disconnect 4-18 show line 4-19 General Commands 4-20 enable 4-20 disable 4-21 configure 4-21 show history 4-22 reload 4-22 end 4-23 exit 4-23 quit 4-24 System Management Comma nds 4-24 Device Designation Commands 4-25 prompt 4-25 hostname 4-2 5 User Access Commands 4-26 username 4-26 enable password 4-27 IP Filter Commands 4-28 managemen[...]
-
Page 10
Contents vi logging fa cility 4-45 logging tra p 4-46 clear logging 4-46 show logging 4-47 SMTP Alert Commands 4-48 loggin g sendmail host 4-49 logging sendmail l evel 4-49 logging sendmail source-email 4-50 logging sendmail destinatio n-email 4-50 logging sendmail 4- 51 show logging sendmail 4-51 Time Commands 4-52 sntp client 4-52 sntp server 4-5[...]
-
Page 11
Contents vii tacacs-server host 4-74 tacacs-server port 4-74 tacacs-server key 4-75 show tacacs-server 4-75 Port Security Commands 4-76 port security 4-76 802.1x Port Authentication 4-78 authentication dot 1x default 4-78 dot1x default 4-79 dot1x max-req 4-79 dot1x port-cont rol 4-80 dot1x operation-mode 4-80 dot1x re-authenticate 4-81 dot1x re-aut[...]
-
Page 12
Contents viii ACL Information 4-111 show access-list 4-111 show access-group 4-111 SNMP Commands 4-112 snmp-server community 4-112 snmp-server co ntact 4-113 snmp-server location 4-113 snmp-server host 4-114 snmp-server enable traps 4-115 show snmp 4-115 DNS Commands 4-117 ip host 4-117 clear host 4-118 ip domain-name 4-118 ip domain-list 4-119 ip [...]
-
Page 13
Contents ix lacp admin-key (Port Channel) 4-142 lacp port-priority 4-142 show lacp 4-143 Address Table Commands 4-147 mac-address-table static 4-148 clear mac-address-table dynamic 4-149 show mac-address-table 4-149 mac-address-table aging-time 4-150 show mac-address-table aging-time 4-150 Spanning Tree Commands 4-151 spanning-tree 4-152 spanning-t[...]
-
Page 14
Contents x switchport allowed vlan 4-177 switchport forbidden vlan 4-178 Displaying VLAN Informa tion 4-179 show vlan 4-179 Configuring Private VLANs 4-180 pvlan 4-180 show pvlan 4-181 Configuring Protocol-based VLANs 4-181 protocol-vlan protocol-group (Configuring Groups) 4-182 protocol-vlan protocol-group (Co nfiguring Interfaces) 4-182 show prot[...]
-
Page 15
Contents xi IGMP Query Commands (Layer 2) 4-206 ip igmp snooping querier 4-206 ip igmp snooping query-count 4-206 ip igmp snooping query-interval 4-207 ip igmp snooping query-max-response-ti me 4-208 ip igmp snooping router-port-e xpire-time 4-208 Static Multicast Routing Commands 4-209 ip igmp snooping vlan mrouter 4-209 show ip igmp snooping mrou[...]
-
Page 16
Contents xii[...]
-
Page 17
xiii Tables Table 1-1. Key Features 1-1 Table 1-2. System Defaults 1-5 Table 3-1. Web Page Configuration Butto ns 3-3 Table 3-2. Switch Main Menu 3-4 Table 3-3. Logging Levels 3-19 Table 3-4. HTTPS System Support 3-35 Table 3-5. 802.1x Statistics 3-48 Table 3-6. LACP Port Counters 3-76 Table 3-7. LACP Internal C onfiguration Informa tion 3-77 Table[...]
-
Page 18
xiv Ta b l e s Table 4-27. Authentication Sequence Command s 4-69 Table 4-28. RADIUS Client Commands 4-71 Table 4-29. TACACS+ Clien t Commands 4-74 Table 4-30. Port Security Commands 4-76 Table 4-31. 802.1 x Port Auth entication Commands 4-78 Table 4-32. Access Co ntrol List Commands 4-87 Table 4-33. IP ACL Commands 4-87 Table 4-34. Mapping CoS Val[...]
-
Page 19
xv Figures Figure 3-1 . Home Page 3-2 Figure 3-2 . Front Panel Indicators 3-3 Figure 3-3 . System Inform ation 3-9 Figure 3-4. Switch Information 3-11 Figure 3-5. Displaying Bridge Extension Configuration 3-12 Figure 3-6. IP Interface Configuration - Manua l 3-14 Figure 3-7. IP Interface Configuration - DHCP 3-15 Figure 3-8. Downloading Firmware to[...]
-
Page 20
Figures xvi Figure 3-43. LACP - Aggreg ation Port 3-74 Figure 3-44. LACP - Port Co unters Information 3-76 Figure 3-45. LACP - Port Interna l Information 3-78 Figure 3-46. LACP - Port Ne ighbors Information 3-79 Figure 3-47. Port Broadcast Control 3-81 Figure 3-48. Mirror Port Configu ration 3-82 Figure 3-49. Rate Limit Configuration 3-83 Figure 3-[...]
-
Page 21
Figures xvii Figure 3-88. DNS General Configuration 3-147 Figure 3-89. DNS Static Host Table 3-149 Figure 3-90. DNS Cache 3-150[...]
-
Page 22
Figures xviii[...]
-
Page 23
1-1 Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching . It includes a management agent that allows you to configure t he features l isted in this manual. The default configurati on can be used for most of the featu res provided by this switch. However , there are many options that you should configure to m[...]
-
Page 24
Introduction 1-2 1 Description of Software Features The switch provides a wide range of advanced perf ormance enhancing features. Flow control eliminates the l oss of packet s due to bottlenecks cause d by port saturation. Broadcast storm supp ression prevents broa dcast traffi c storms from engulfing the network. Unt agged (port-bas ed), tagged, a[...]
-
Page 25
Description of Softwa re Features 1-3 1 Port Mirroring – The switch can unobtrusi vely mirror t raffic from any port t o a monitor port. Y ou can then att ach a protocol analyz er or RMON probe to this port to perform traf fic analysis and verify connection integrity . Port T runking – Ports can be co mbined into an aggregate conn ection. T run[...]
-
Page 26
Introduction 1-4 1 Multiple S panning T ree Protocol (MSTP , IEEE 802.1s) – This protocol is a direct extension of RSTP . It can provide an inde pendent spann ing tree for dif ferent VLANs. It simplifies network mana gement, provides fo r even faster convergence than RSTP by limiting the si ze of each region, and prevent s VLAN members from being[...]
-
Page 27
System Defaults 1-5 1 System Defaults The switch’s system default s are provided in the configurati on file “Factory_Default_Con fig.cfg.” To reset th e switch defaults , this file should be set as the startup config uration file (page 3-18). The following t able list s some of the basic system defaults. Table 1-2. Sys tem Defaults Function P[...]
-
Page 28
Introduction 1-6 1 Port Config uration Admin Status Enabled Auto-negotiation Enabled Flow Cont rol Disabled Port Capability 1000BASE-T – 10 Mbps half duplex 10 Mbps full duplex 100 Mbps half du plex 100 Mbps full duplex 1000 Mbps full duplex Full-duplex flow cont rol disabled Symmetric flow control disabled Module Port Capability 1000BASE-SX/LX/L[...]
-
Page 29
System Defaults 1-7 1 IP Settings IP Address 0.0.0.0 Subnet Mask 255.0.0. 0 Default Gateway 0.0.0.0 DHCP Client: Enabled BOOTP Disabled DNS Server Lookup Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enabled System Log Status Enabled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event[...]
-
Page 30
Introduction 1-8 1[...]
-
Page 31
2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in net work management agent. The agent of fers a variety of management option s, including SNMP , RMON and a Web-ba sed interface. A PC may also be co nnected directly to the swi tch for configurat ion and monito ring via a command line [...]
-
Page 32
Initial Configuration 2-2 2 • Enable port mirroring • Set broadcast storm cont rol on any port • Display syst em information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and co nfiguring the switch. A null-modem console cable is provided with the swi[...]
-
Page 33
Basic Configuration 2-3 2 Remote Connections Prior to accessing the switch’ s onboard agent via a network connection, you must first config ure it with a valid IP address, subnet mask, and default g ateway usin g a console connection, DHCP or BOOTP protocol . The IP address for this switch is obtaine d via DHCP by defa ult. T o manually configure[...]
-
Page 34
Initial Configuration 2-4 2 Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names us ing the “usern ame” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric charact ers and are case sensitive. T o pre vent unauthori[...]
-
Page 35
Basic Configuration 2-5 2 Before you can assign an IP address to the swit ch, you must obtai n the following information fr om your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this ne twork T o assig n an IP address to the switch, comp lete the following steps: 1. From the Privileged[...]
-
Page 36
Initial Configuration 2-6 2 5. W ait a few minutes, and then check the IP configurati on settings by typing the “show ip interface” command. Pre ss <Enter>. 6. Then save your conf iguration change s by typing “copy running-config startup-con fig.” Enter the startu p file name and press <Enter>. Enabling SNMP Management Access Th[...]
-
Page 37
Basic Configuration 2-7 2 T o configu r e a community string, compl ete the following st eps: 1. From the Privileged Exe c level global config uration mode prompt, type “snmp-server community string mode ,” where “string” is the communi ty access string and “mode” is rw (read/wri te) or ro (read only). Press <Enter> . (Note that t[...]
-
Page 38
Initial Configuration 2-8 2 2. Enter the name of the sta rt-up file. Press <En ter>. Managing System Files The switch’s flash memory suppo rts thre e types of system files that can be managed by the CLI program, We b interface, or SNMP . The switch’s file system allows files to be uploaded an d downloaded, copied, delet ed, and set a s a [...]
-
Page 39
3-1 Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP W eb agent. Using a W eb browser you can configure the switch and view statistics to monitor network activity . The Web agent can be accessed by any computer on the network usi ng a standard W eb browser (Internet Explorer 5.0 or above, or Net scape [...]
-
Page 40
Configuring the Switch 3-2 3 Navigating the Web Browser Interface T o access the we b-browser interface you must first ente r a user name and password. The administra tor has Read/Write acce ss to all configurati on parameters and stat istics. The defau lt user name and p assword for the administrator is “admin. ” Home Page When your web browse[...]
-
Page 41
Navigating the Web Browser Inte rface 3-3 3 Configuration Options Configurable p arameters have a dialog box or a drop-down li st. Once a confi guration change has been made on a p age, be sure to click o n the “Apply” butt on to confirm the new setting. The followi ng table summarize s the web page configurat ion buttons. Notes: 1. To ensure p[...]
-
Page 42
Configuring the Switch 3-4 3 Main Menu Using the onboa rd web agent, you can define system p arameters, manage and control the s witch, and all its p orts, or monit or network conditi ons. The fol lowing table brie fly describes the selection s available from this program. Table 3-2. Switch Main Menu Menu Description Page System 3-9 System Informat[...]
-
Page 43
Navigating the Web Browser Inte rface 3-5 3 802.1x Port authentication 3-43 Information Displays global configu ration settings 3-44 Configuration Configures protocol parameters 3-46 Port Config uration Sets the aut hentication mode f or individual ports 3-47 Statistics Displays protocol stat istics for the select ed port 3-48 ACL 3-52 Configuratio[...]
-
Page 44
Configuring the Switch 3-6 3 Address T able 3-88 Static Addresses Displays entries for interface, address or VLAN 3-88 Dynamic Addresses Displays or edits stat ic ent ries in the Address T able 3-89 Address Aging Sets timeout for dynamically learne d entries 3-91 Spanning T ree 3-91 STA 3-91 Information Displays ST A values used for the bridge 3-92[...]
-
Page 45
Navigating the Web Browser Inte rface 3-7 3 Protocol VLAN 3-123 Configuration Creates a protocol group, spec ifying the supported protocols 3-123 Port Config uration Maps a protocol group t o a VLAN 3-123 Priority 3-125 Default Port Priority Sets the default priority for each port 3-125 Default Tr unk Priority Sets the defa ult priori ty for each t[...]
-
Page 46
Configuring the Switch 3-8 3 DNS 3-146 General Configuration Enables DNS; configures domain name and domain list; and specifies IP addre ss of name servers for dynamic lookup 3-146 Static Host Table Configures static ent ries for domain name to addres s mapping 3-148 Cache Displays cache entrie s discove red by designated name servers 3-150 Table 3[...]
-
Page 47
Basic Configuration 3-9 3 Basic Configuration Displaying System Information Y ou can easily identif y the system by displaying t he device name, locatio n and contact i nformation. Field Attributes • System Name – Name assigned to the swi tch system. • Object ID – MIB II object ID for switc h’s network management subsyst em. • Location [...]
-
Page 48
Configuring the Switch 3-10 3 CLI – S pecify the hostname, loca tion and cont act information. Displaying Switch Hardware/Software Versions Use the Switch Information p age to display hardware/firmware versi on numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Num[...]
-
Page 49
Basic Configuration 3-11 3 • Redundant Power Statu s* – Displays the status of the redundant power supp ly. * CLI only . Management Sof tware • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Versio n number of runtime code. • Role [...]
-
Page 50
Configuring the Switch 3-12 3 Displaying Bridge Extension Capabilities The Bridge MIB includes ext ensions for managed devices that support Multicast Filtering, T raffic Cl asses, and V irtual LANs. Y ou can access these extens ions to display default sett ings for the key variables. Field Attributes • Extended Mu lticast Fil tering Serv ices –[...]
-
Page 51
Basic Configuration 3-13 3 CLI – Enter the following command. Setting the Switch’s IP Address This section describes how to confi gure an IP interface for management access over the network. The IP address for this switch is o btained vi a DHCP by default. T o manually configure an address, you need to change the swi tch’s def ault settings ([...]
-
Page 52
Configuring the Switch 3-14 3 Manual Config uration Web – Click System, IP Configu ration. Select the VLAN thro ugh which the management st ation is attac hed, set the IP Address Mode to “S tatic,” enter the IP address, subnet mask and gat eway , then click Apply . Figure 3-6. IP I nterface Configuration - Manual CLI – S pecify the manageme[...]
-
Page 53
Basic Configuration 3-15 3 Using DHCP/BOOTP If your network provides DHCP/BOOTP serv ices, you can configure the switch to be dynamically con figured by these services. Web – Click Syste m, IP Configu ration. S pecify the VLAN to which th e management statio n is attached, set the IP Address Mode to DHCP or BOOTP . Click Apply to save your change[...]
-
Page 54
Configuring the Switch 3-16 3 CLI – Enter the following command to rest art DHCP service. Managing Firmware Y ou can upload/download fi rmware to or from a TFTP server . By saving runtime code to a file on a TFTP server , that file can later be downloaded to the switch to restore operation. Y ou can als o set the switch to use new firmware withou[...]
-
Page 55
Basic Configuration 3-17 3 If you download to a new destination f ile, then select the file from t he drop-down box for the operat ion code used a t startup, and click Appl y Changes. T o start the new firmware, reboot the system via th e System/Reset menu. Figure 3-9. Setting the Startup Code CLI – Enter the IP address of the TFTP server , selec[...]
-
Page 56
Configuring the Switch 3-18 3 Downloading Configuration Set tings from a Server Y ou can download the confi guration file under a new fi le name and then set it as the startup fi le, or you can specify the current st artup configurati on file as the destination file to directly replace it. Note that the fil e “Factory_Default_Conf ig.cfg” can b[...]
-
Page 57
Basic Configuration 3-19 3 If you downloa d the start up configuration fil e under a new file name, you can set thi s file as the st artup file at a late r time, and then rest art the switch. Configuring Event Logging The switch allows yo u to control the logging of error mess ages, including the type of events th at are recorded in switch memory ,[...]
-
Page 58
Configuring the Switch 3-20 3 • RAM Level – Limits log messages sav ed to the switch’s temp orary RAM memory for all levels up to the specified level. Fo r example, if level 7 is specified, all messages from level 0 to level 7 will be logged t o RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. W[...]
-
Page 59
Basic Configuration 3-21 3 • Logging Trap – Limits log messages that are sent to the re mote syslog server for all levels up to the spe cified level. For example, if level 3 is specified, all mess ages from level 0 to level 3 will be sent to the remote server. (Range : 0-7, Default: 7) • Host IP L ist – Displays th e list of remote server I[...]
-
Page 60
Configuring the Switch 3-22 3 CLI – Enter the syslog server host IP address, choos e the facility type and set the logging tr ap. Displaying Log Messages Use the Logs page to scro ll through the logged system and event messages . The switch can store up t o 2048 log entri es in temporary random access memory (RAM; i.e., memory fl ushed on power r[...]
-
Page 61
Basic Configuration 3-23 3 CLI – This example shows that syste m logging is enabled, th e message level for flash memory is “errors” (i .e., default level 3 - 0), the message lev el for RAM is “debugging” (i.e. , default level 7 - 0), and li sts one sample error . Sending Simple Mail Trans fer Protocol Alerts T o alert system administ rat[...]
-
Page 62
Configuring the Switch 3-24 3 Web – Click System, Log, SMTP . Enable SMTP , specify a source email add ress, and select the minimum sev erity level. T o add an IP address to the SMTP Server List, type the new IP address in th e SMTP Server field and click Add. T o delete an IP address, click the entry in t he SMTP Server List and click Remove. S [...]
-
Page 63
Basic Configuration 3-25 3 CLI – Enter the IP address of at least one SMTP server , set the syslog severity level to trigger an emai l message, and spe cify the switch (s ource) and up to fiv e recipient (destination) e mail addresses. Enable SMTP with the logging sendmail command to complete t he configuration. Use the show logging sendmail comm[...]
-
Page 64
Configuring the Switch 3-26 3 Setting the System Clock Simple Network T ime Protocol (SNTP) allo ws the switch to set its internal clo ck based on periodic upda tes from a time server (SNTP or NTP). Mainta ining an accurate time on the switch enables the system lo g to record meaningful dates and times for event entries . Y ou can also manually set[...]
-
Page 65
Basic Configuration 3-27 3 CLI – This example configures the switch to operate as an SNTP client and then displays the current time and set tings. Setting the Time Zone SNTP uses Coordinated Universal T ime (or UTC, formerly Greenwich Mean T ime, or GMT) based on the time at the Eart h’s prime merid ian, zero degrees longitude. T o display a ti[...]
-
Page 66
Configuring the Switch 3-28 3 CLI - This example shows how to set the time zone for the system clock. Simple Network Management Protocol Simple Network Management Protoc ol (SNMP) is a communication proto col designed specifi cally for managing devices on a network. Equipment commonly managed with SNMP includes switc hes, routers and host comput er[...]
-
Page 67
Simple Network Manag ement Protocol 3-29 3 Web – Click SNMP , Configuratio n. Add new communi ty strings as required, select the access right s from the Access Mode drop-down list , then click Add. Figure 3-1 9. Configur ing SNMP Community St rings CLI – The following example adds the st ring “spiderman” with read/write access. Specifying T[...]
-
Page 68
Configuring the Switch 3-30 3 Web – Click SNMP , Configuration. Fill in the IP address and commun ity string for each trap manager that will receive these messages, specify t he SNMP version, mark the trap t ypes required, an d then click Add. Figure 3-20. Configu ring SNMP Trap Man agers CLI – This exampl e adds a tr ap manager and enab les bo[...]
-
Page 69
User Authentication 3-31 3 Command Attributes • User Name* – The name of the user. (Maximum length: 8 chara cters) • Access Level* – Specifi es the user level. (Options: Normal and Privileged) • Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive) * CLI only . Web – Click Security , Passwords. T o[...]
-
Page 70
Configuring the Switch 3-32 3 RADIUS uses UDP while T ACACS+ uses TCP . UDP only offers best ef fort delivery , while TCP offers a connect ion-oriented transport. Also, not e that RADIUS encrypts only the pass word in the access-req uest packet from the cl ient to the server , while T ACACS+ encrypts the entire body of the packet. Command Usage •[...]
-
Page 71
User Authentication 3-33 3 Note: The local switch user database has to be set up by manually entering user names and passwords using the CLI. (See “username” on page 4-26. ) Web – Click Security , Authent ication Setti ngs. T o configure local or re mote authenticati on preferences, specify the authent ication sequence (i. e., one to three me[...]
-
Page 72
Configuring the Switch 3-34 3 CLI – S pecify all the required p arameters to enable logon authenticati on. Configuring HTTPS Y ou can configure the switch t o enable the Secure Hypertext T ransfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to th e switch’s we b interface. Command[...]
-
Page 73
User Authentication 3-35 3 • The following web browsers and oper ating systems current ly support HTTPS: • To specify a secure-site certifi cate, see “Replacing the Defa ult Secure-site Certificate” on page 3-35. Command Attributes • HTTPS Status – Allows you to enabl e/disable the HTTPS s erver feature on the switch. (Default : Enabled[...]
-
Page 74
Configuring the Switch 3-36 3 Caution: For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest o pportunity. This is because the default certificate for the switch is not unique to the hardwar e you have purchased. When you have obtain ed these, place them on your TFTP serve r , and use the following [...]
-
Page 75
User Authentication 3-37 3 T o use the SSH server , complete these steps : 1. Generate a Host Key Pair – On the SSH Host Key Settings page, cre ate a host public/private key pai r . 2. Provide Host Public Ke y to Clients – Many SSH client programs a utomatically import the host publi c key during the initial connec tion setup with the swit ch. [...]
-
Page 76
Configuring the Switch 3-38 3 e. The switch comp ares the decrypted b ytes to the orig inal bytes it sent . If the two sets match, this means that th e client's priva te key correspond s to an authorized p ublic key , and the c lient is authen ticated. Notes: 1. To use SSH with only password authenticat ion, the host public key must still be g[...]
-
Page 77
User Authentication 3-39 3 Web – Click Security , SSH Host-Key Settings. Select the host- key type from the drop-down box, select the optio n to save the host key from memory to flash (if required) prior t o generating the key , and then click Generat e. Figure 3-23. SSH Host-Key Settings CLI – This example generates a host -key pair using both[...]
-
Page 78
Configuring the Switch 3-40 3 Configuring the SSH Server The SSH server incl udes basic se ttings for authenticati on. Field Attributes • SSH Server St atus – Allows you to enable/disable the SSH serve r on the switch. (Default: Disa bled) • Version – The Secure Shell vers ion number. Version 2.0 is displa yed, but the switch supports manag[...]
-
Page 79
User Authentication 3-41 3 CLI – This exampl e enables SSH, se ts the authentication p arameters, and displays the current configuration. It shows that the administrator has made a conne ction via SHH, and then disables th is connection. Configuring Port Security Port security is a feature th at allows you to configure a switch port wit h one or [...]
-
Page 80
Configuring the Switch 3-42 3 • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Confi guration page (page 3-67). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-126). • Action – Indicates the action to be t aken when a port securit y violation [...]
-
Page 81
User Authentication 3-43 3 CLI – This example select s the target port , sets the port securit y action to send a trap and disable the port , specifies a maximum address coun t, and then enables port security for the port. Configuring 802.1x Port Authentication Network switches can provide open and easy access t o network resources by simply att [...]
-
Page 82
Configuring the Switch 3-44 3 The operation of 802.1x on th e switch requires the following: • The switch must have an IP addre ss assigned. • RADIUS authentic ation must be enabled on th e switch and the IP address of the RADIUS server specified. • Each switch port tha t will be used must be set to dot1x “Aut o” mode. • Each client tha[...]
-
Page 83
User Authentication 3-45 3 Web – Click Security , 802.1x, Information. Figure 3-26. 802 .1x In formation CLI – This example sh ows the default pr otocol settings for 802 .1x. For a description of the additiona l entries displayed in t he CLI, See “show dot1x” on p age 4-83. Console#show dot1x 4-83 Global 802.1X Parameters reauth-enabled: ye[...]
-
Page 84
Configuring the Switch 3-46 3 Configuring 802.1x Glob al Settings The dot1x protocol includes glo bal paramet ers that control the client authe ntication process that run s between the cl ient and the switch (i.e., authenticator), as well a s the client identit y lookup process that runs between the switch and authentic ation server . The configura[...]
-
Page 85
User Authentication 3-47 3 Web – Select Security , 802.1x, Configuratio n. Enable dot 1x globally f or the switch, modify any of the p arameters required, and then click Apply . Figure 3-27. 802.1X Configuration CLI – This enables re-authentication and sets all of the global parame ters for 802.1x . Configuring Port Authorizatio n Mode When dot[...]
-
Page 86
Configuring the Switch 3-48 3 • Authorized – - Yes – Connected client is authorized. - No – Connected c lient is not authorized. - Blank – Displays nothing when dot1x is disable d on a port. • Supplicant – Indicates the MAC address of a connected clien t. • Trunk – Indicates if the port is configured a s a trunk port . Web – Cli[...]
-
Page 87
User Authentication 3-49 3 Web – Select Security , 802.1x, S tatisti cs. Select the requ ired port and then click Query . Click Refresh to update the st atistics. Figure 3-29. 802.1x Port Statis tics Rx EAP Resp/Oth The number of valid EAP Res ponse frames (other than Re sp/Id frames) that have be en received by this Authenticator . Rx EAP LenErr[...]
-
Page 88
Configuring the Switch 3-50 3 CLI – This example displays the 802.1x st atistics for port 4. Filtering IP Addresses for Management Access Y ou can create a list of up to 16 IP addre sses or IP address grou ps that are al lowed management access to the switch t hrough the web i nterface, SNMP , or T elnet. Command Usage • The management in terfa[...]
-
Page 89
User Authentication 3-51 3 Web – Click Security , IP Filter . Enter the addresses that are allowed management access to an interface, and click Add IP Filt ering Entry . Figure 3-30. IP Filter CLI – This example allows SNMP access for a specific cli ent. Console(config)#management snmp-client 10. 1.2.3 4-28 Console(config)#end Console#show mana[...]
-
Page 90
Configuring the Switch 3-52 3 Access Control Lists Access Control List s (ACL) provide packet fi ltering for IP frames (based on address, protocol, Layer 4 protocol port nu mber or TCP control code) or any frames (based on MAC address or Ethernet type). To filter inco ming packets, first create an access list, add the required rules, specify a mask[...]
-
Page 91
Access Control Li sts 3-53 3 Setting the ACL Name and Type Use the ACL Configuration p age to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 charac ters) • Type – There are three filtering modes: - Standard: IP ACL mode that fil ters packets based on the source IP a ddress. - Extended[...]
-
Page 92
Configuring the Switch 3-54 3 The mask is bitwise ANDed with the spec i fied source IP address, and compared with the address for each IP packet enteri ng the port(s) to which this ACL has been assigned. Web – S pecify the action (i .e., Permit or Deny). Select t he address type (Any , Host, or IP). If you select “Host ,” enter a specific add[...]
-
Page 93
Access Control Li sts 3-55 3 Configuring an Extended I P ACL Command Attributes • Action – An ACL can contain either all permit rules or all deny rule s. (Default: Permit rules) • Src/Dst IP – Specifies the source or destinat ion IP address. Use “Any” to include all possible addresses, “Host” t o specify a sp ecific host address in [...]
-
Page 94
Configuring the Switch 3-56 3 Web – S pecify the action (i .e., Permit or Deny). S pecify the source and/or destination addre sses. Select the address type (Any , Host, or IP). If you select “Host,” enter a specific addre ss. If you select “IP ,” enter a subnet address and the mask for an address range. Set any other required crit eria, s[...]
-
Page 95
Access Control Li sts 3-57 3 Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • Source/Destination MAC – Us e “Any” to include all possible add resses, “Host” to indicate a specific MAC addre ss, or “MAC” to specify an address range with the Addres[...]
-
Page 96
Configuring the Switch 3-58 3 Web – S pecify the action (i .e., Permit or Deny). S pecify the source and/or destination addre sses. Select the address type (Any , Host, or MAC). If you select “Host,” enter a specif ic address (e.g., 1 1-22-33-44-55-66). If you sel ect “MAC,” enter a base address and a hexidecimal bitmask for an address ra[...]
-
Page 97
Access Control Li sts 3-59 3 Configuring ACL Masks Y ou can specify opti onal masks that co ntrol the order i n which ACL rules are checked. The switch includes two system defaul t masks that pass/filter pa ckets matching the permit/den y rules specified in an ingress ACL. Y ou can also configure up to seven user-defined masks for an ingress or egr[...]
-
Page 98
Configuring the Switch 3-60 3 Configuring an I P ACL Mask This mask define s the fields to check in the IP header . Command Usage • Masks that include an ent ry for a Layer 4 protocol source port or destina tion port can only be a pplied to packets with a header length of exactly fi ve bytes. Command Attributes • Src/Dst IP – Specifies the so[...]
-
Page 99
Access Control Li sts 3-61 3 Web – Configure the mask to match the requir ed rules in th e IP ingress or egress ACLs. Set the mask to check for any source or desti nation address, a specific hos t address, or an address range. Include ot her cr iteria to sea rch for in the rules, such as a protocol type or on e of the service types. Or use a bitm[...]
-
Page 100
Configuring the Switch 3-62 3 Configuring a MAC ACL Mask This mask define s the fields to check in the packet header . Command Usage Y ou must configure a mask for an ACL rule bef ore you can bind it to a port. Command Attributes • Source/Destination MAC – Use “Any” to match any address, “Host” to specify the host address for a single n[...]
-
Page 101
Access Control Li sts 3-63 3 CLI – This example shows how to create an Ingress MAC ACL a nd bind it to a port. You can then see that the order of th e rules have been changed b y the mask. Binding a Port to an Access Control List After configuring the Access Control List s (ACL), you can bind the ports that need to filter traf fic to the appropri[...]
-
Page 102
Configuring the Switch 3-64 3 Web – Click Security , ACL, Port Bi nding. Mark the Enable field for t he port you want to bind to an ACL for ingre ss or egress traffi c, select the require d ACL from the drop-down list, then cli ck Apply . Figure 3-38. ACL Port Binding CLI – This examples ass igns an IP an d MAC ingress ACL to port 1, an d an IP[...]
-
Page 103
Port Configuration 3-65 3 • Forced Mode 1 – Shows the forced/preferre d port type to use for combination ports 21-24 or 45-48. (Copper-Forced, Copper-Preferred-Auto, SFP- Forced, SFP-Preferred-Auto ) • Trunk Member 1 – Shows if port is a trunk member. • Creation 2 – Shows if a trunk is manually configured or dynamically set via L ACP. 1[...]
-
Page 104
Configuring the Switch 3-66 3 • Broadcast storm – Shows if broadcast storm cont rol is enabled or disabled. • Broadcast storm limit – Shows t he broadcast storm threshold. (500 - 262143 packets per second) • Flow control – Shows if flow control is enabled or disabl ed. • LACP – Shows if LACP is enabled or disabled. • Port Security[...]
-
Page 105
Port Configuration 3-67 3 Configuring Interface Connections Y ou can use the Port Conf iguration or T runk Configuration p age to enable/disable an interface, set aut o-negotiation and the interface cap abilities to advertise, or manuall y fix the speed, duplex mode, and flow control. Command Attributes • Name – Allows you to label an int erfac[...]
-
Page 106
Configuring the Switch 3-68 3 • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-69. Note: Auto-negotiation must be disabled before y ou can configure o r force the interface to use the Speed/Duplex Mode or Flow Control options. Web – Click Port, Port Confi[...]
-
Page 107
Port Configuration 3-69 3 Creating Trunk Groups Y ou can create multiple li nks between devices that work as one virt ual, aggregate link. A port trun k offe rs a dramatic incre ase in bandwidth for network segment s where bottlenecks exist , as well as providing a fault- tolerant link between two devices. Y ou can create up to six trunks at a time[...]
-
Page 108
Configuring the Switch 3-70 3 Statically Configuring a Trunk Command Usage • When configurin g static trunks, you may not be able to link switches of different types, depending on t he manufactu rer’s implementatio n. However, note that the static trunks on thi s switch are Ci sco EtherChannel compatible. • To avoid creatin g a loop in the ne[...]
-
Page 109
Port Configuration 3-71 3 CLI – This example creates trunk 2 with ports 1 and 2. Just connect t hese ports to two stati c trunk port s on another switch to form a tru nk. Enabling LACP on Selected Port s Command Usage • To avoid creat ing a loop i n the network, be sure you enable LACP b efore connecting the ports, and also disconnec t the port[...]
-
Page 110
Configuring the Switch 3-72 3 Web – Click Port, L ACP , Configuration. Select any of the swi tch ports from the scroll-down port list and cl ick Add. After you have compl eted adding port s to the member list, click Apply . Figure 3-42. LAC P Trunk Configu ration CLI – The followi ng example enables LACP for ports 1 to 6. Just c onnect these po[...]
-
Page 111
Port Configuration 3-73 3 Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assig ned to a common port channel must meet the foll owing criteria: • Ports must have the same LACP Sy stem Priority. • Ports must have the same L ACP port Admin Key . • However, if t he “port channel” Admin Key is se t (page 4-142), then[...]
-
Page 112
Configuring the Switch 3-74 3 Web – Click Port, L ACP , Aggregation Port. Set t he System Priority , Admin Key , and Port Priority for the Port Actor . Y ou can optionally configu re these settings for the Port Partner . (Be aware that these settings onl y affect the administrative st ate of the partne r , and will not take ef fect until the next[...]
-
Page 113
Port Configuration 3-75 3 CLI – The following example configures LACP p arameters for ports 1-6. Ports 1-4 are used as act ive members of t he LAG; ports 5 and 6 are set to backup mo de. Console(config)#interface ethernet 1/1 4-125 Console(config-if)#lacp actor system-pr iority 3 4-142 Console(config-if)#lacp actor admin-key 120 4-143 Console(con[...]
-
Page 114
Configuring the Switch 3-76 3 Displaying LACP Port Counters Y ou can display st atistics for LACP protocol mess ages. Web – Click Port, LACP , Port Counters Information . Select a member port to display the corresponding info rmation. Figure 3-44. LAC P - Port Counters In formation CLI – The following example displ ays LACP counters for port ch[...]
-
Page 115
Port Configuration 3-77 3 Displaying LACP Settings and Status for the Local Side Y ou can display configurat ion settings and the operati onal stat e for the local side of an link aggrega tion. Table 3-7. LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Curre[...]
-
Page 116
Configuring the Switch 3-78 3 Web – Click Port, LACP , Port Internal Informa tion. Select a port channel to display the corresponding info rmation. Figure 3-45. LACP - P ort Internal Information CLI – The following example displ ays the LACP configuration setti ngs and operational st ate for the local side of port channel 1. Console#show lacp 1[...]
-
Page 117
Port Configuration 3-79 3 Displaying LACP Set tings an d Status for the Remote Side Y ou can display configurat ion settings and the operati onal state for th e remote side of an link aggregat ion. Web – Click Port, L ACP , Port Neighbors In formation. Select a port chan nel to display the correspondi ng information. Figure 3-46 . LACP - Port Nei[...]
-
Page 118
Configuring the Switch 3-80 3 CLI – The following example displ ays the LACP configuration setti ngs and operational st ate for the remote side of port channel 1. Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is ma lfunctioning, o r if application programs are no t well designed or prope rly configure[...]
-
Page 119
Port Configuration 3-81 3 Web – Click Port, Port/T runk Broadcast Control. Check the Enabled box for any interface, set th e threshold and click Apply . Figure 3-47. Port Broadcast Control CLI – S pecify any interface, and then enter th e threshold. The foll owing disables broadcast storm contro l for port 1, and the n sets broadcas t suppressi[...]
-
Page 120
Configuring the Switch 3-82 3 Configuring Port Mirroring Y ou can mirror traf fic from any source port to a target port for real-time analy sis. Y ou can the n attach a logic analy zer or RMON probe t o the target port and study the traff ic crossing the source port in a completely unobt rusive manner . Command Usage • Monitor port speed should m[...]
-
Page 121
Port Configuration 3-83 3 Configuring Rate Limits This function allows th e network manager to cont rol the maximum rate for traf fic transmitted or received on an i nterface. Rate limiting is configured on int erfaces at the edge of a network to limi t traffic comi ng out of the switch. T raffic that falls within the rate limit is tran smitted, wh[...]
-
Page 122
Configuring the Switch 3-84 3 Showing Port Statistics Y ou can display st andard stat istics on network traf fic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed b r eakdown of traf fic based on the RMON MIB. Interfaces and Et hernet-like st atistics display errors on the traffic p assing through each port . This informat ion[...]
-
Page 123
Port Configuration 3-85 3 Tr ansmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitt ed. One possible reason for discarding such a packet could be to free up buffer space . Tr ansmit Errors Th e number of outbound packets that could not be tra[...]
-
Page 124
Configuring the Switch 3-86 3 Received Frames The total number of fra mes (bad, broa dcast and multicas t) received. Broadcast Frames The total number of good fr ames received that were direct ed to the broadcast addres s. Note that t his does not inc lude multicast packe ts. Multicast Frames The total number of good frames received that were direc[...]
-
Page 125
Port Configuration 3-87 3 Web – Click Port, Port S tatistics. Select t he required interfa ce, and click Query . Y ou can also use the Refresh butt on at the bottom of the p age to update the screen. Figure 3-50. Port Statistics[...]
-
Page 126
Configuring the Switch 3-88 3 CLI – This example shows stat istics for port 13. Address Table Settings Switches store th e addresses for all known devices. This information is used t o pass traff ic directly between the inboun d and outbound port s. All the addresses learned by monitoring traf fic are stored in the dynamic address t able. Y ou ca[...]
-
Page 127
Address T able Settings 3-89 3 Web – Click Address T able, S tatic Addresses. S pecify the interface, the MAC address and VLAN, then click Add S tatic Address. Then set this as a permanent address or to be deleted on res et. Figure 3-51. Stati c Addresses CLI – This exampl e adds an address to the st atic address table, but set s it to be delet[...]
-
Page 128
Configuring the Switch 3-90 3 Web – Click Address T able, Dynamic Add resses. S pecify the search type (i. e., mark the Interfac e, MAC Address, or VLAN checkbox), select t he method of sorting the displayed addresses, and then click Query . Figure 3-52. Dynamic Addresses CLI – This example also displa ys the address table ent ries for port 1. [...]
-
Page 129
Spanning Tree Algorithm Configuration 3-91 3 Changing the Aging Time Y ou can set the aging ti me for entries in the dynamic add ress table. Command Attributes • Aging Status – Enables or disables the aging time. • Aging Time – The time after which a learned entry is di scarded. (Range: 10-1000000 seconds; Default: 300 seco nds) Web – Cli[...]
-
Page 130
Configuring the Switch 3-92 3 Once a st able network top ology has been e stablishe d, all bridges listen for He llo BPDUs (Bridge Protocol Data Unit s) transm itted from the Root Bridg e. If a bridge does not get a Hello BPDU af ter a predefined interval (Maximum Age), t he bridge assumes that the link to the Root Bridge is down. This bridge will [...]
-
Page 131
Spanning Tree Algorithm Configuration 3-93 3 • Hello Time – Interval (in seconds) at which the root device transmits a configuration messa ge. • Forward Delay – The maximum time (in s econds) the root device will wa it before changing states (i. e., discarding to learning t o forwarding). This delay is required because every device must re [...]
-
Page 132
Configuring the Switch 3-94 3 information that would mak e it return to a discarding st ate; otherwi se, temporary data loops mi ght result. • Root Hold Time – The interval (in seconds) duri ng which no more than two brid ge configurati on protocol data units shall be transmitted by this node . • Max hops – The max number of hop counts for [...]
-
Page 133
Spanning Tree Algorithm Configuration 3-95 3 CLI – This command displays global ST A settings, followed by settings for each port . Note: The current root port and current root cost display as zero when this device is not connected to the network. Configuring Global Settings Global setti ngs apply to t he entire swi tch. Command Usage • Spannin[...]
-
Page 134
Configuring the Switch 3-96 3 • Multiple Spanni ng Tree Protocol - To allow multiple spa nning trees to op erate over the ne twork, you must configu r e a related set of bridges with the same MSTP configuration, al lowing them to participate in a speci fic set of spanning tree inst ances. - A spanning tree instance can exist only on bridges that [...]
-
Page 135
Spanning Tree Algorithm Configuration 3-97 3 • Forward Delay – The maximum time (in seconds) t his device will wait before changing states (i. e., discarding to learning t o forwarding). This delay is required because every device must re ceive information about topology changes before i t starts to forward frames. In addition, each port needs [...]
-
Page 136
Configuring the Switch 3-98 3 Web – Click S panning T ree, ST A, Configuration. Modify the required attr ibutes, and click Apply . Figure 3 -55. STA Configurat ion[...]
-
Page 137
Spanning Tree Algorithm Configuration 3-99 3 CLI – This example enables S panning T ree Protocol, sets the mode to MST , and then configures the ST A and MSTP parameters . Displaying Interface Settings The ST A Port Information and ST A Trunk Info rmation pag es display the current status of ports an d trunks in the S panning T ree. Field Attribu[...]
-
Page 138
Configuring the Switch 3-100 3 • Oper Link Type – The operational point-to-point statu s of the LAN segment attached to this i nterface. This parameter is det ermined by manual confi guration or by auto-detecti on, as described for Admin Link Type in STA Port Configurat ion on page 3-102. • Oper Edge Port – This parameter is initi alized to[...]
-
Page 139
Spanning Tree Algorithm Configuration 3-101 3 • Priority – Defines the priority used for this port in t he Spanning Tree Algorithm. If the path cost fo r all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an activ e link in the Spanning Tree. Thi s makes a port with higher priori ty [...]
-
Page 140
Configuring the Switch 3-102 3 CLI – This example shows the ST A attributes for port 5. Configuring Interface Settings Y ou can configure RSTP and MSTP attribute s for specific interface s, including port priority , path cost, link typ e, and edge port. Y ou may use a dif ferent priority or p ath cost for port s of the same media type to indicate[...]
-
Page 141
Spanning Tree Algorithm Configuration 3-103 3 Protocol is detecting network l oops. Where more than one port is assig ned the highest priority, the port with lowest numeri c identifier wil l be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices. T[...]
-
Page 142
Configuring the Switch 3-104 3 Web – Click S panning T ree, ST A, Port Configuration or T runk Configuration. Modify the required attributes, then click Apply . Figure 3-57. STA Port Configuration CLI – This example sets ST A attributes for port 7. Configuring Multiple Spanning Trees MSTP generates a unique sp anning tree for each inst ance. Th[...]
-
Page 143
Spanning Tree Algorithm Configuration 3-105 3 T o ensure th at the MSTI maintain s connectivity across the network, you mu st configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance ident ifier of this span ning tree. (Default : 0) • Priority – The priority of a spanning tree ins t ance. [...]
-
Page 144
Configuring the Switch 3-106 3 CLI – This displays ST A settings for insta nce 1, followed by settings fo r each port. CLI – This example set s the priority for MSTI 1, and adds VLANs 1-5 to t his MSTI. Console#show spanning-tree mst 1 4-170 Spanning-tree information ------------------------------------------ --------------------- Spanning tree[...]
-
Page 145
Spanning Tree Algorithm Configuration 3-107 3 Displaying Interface Settings for MSTP The MSTP Port Informati on and MSTP T runk Informa tion pages dis play the current status of ports and trunks in the selected MST instance . Field Attributes • MST Instance ID – Instance identif ier to configure. (Range : 0-4094; Default: 0) The other attribute[...]
-
Page 146
Configuring the Switch 3-108 3 Configuring Interface Settings for MSTP Y ou can configure the ST A interface settings for an MST Inst ance using the MSTP Port Configuration and MSTP T runk Configuration page s. Field Attributes The following a ttributes are read-only and cann ot be changed: • STA State – Displays current state of this po rt wit[...]
-
Page 147
Spanning Tree Algorithm Configuration 3-109 3 • MST Path Cost – This pa rameter is used by t he MSTP to det ermine the best pa th between devices. Theref ore, lower valu es should be assigned t o ports attached t o faster media, and higher valu es assigned to ports with slower media. (Path cost takes preceden ce over port priori ty.) Note that [...]
-
Page 148
Configuring the Switch 3-110 3 VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to iso late broadcast traf fic for each subnet into separate d omains. This switch provides a similar servic e at Layer 2 by usi ng VLANs to organize any group of network nod es into separate broadcast domains. VL ANs confine broadcast traf fic t[...]
-
Page 149
VLAN Configuration 3-111 3 Note: VLAN-tagged frames can pass through VLAN-aware or VLAN- unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tag ging. VLAN Classification – When the switch receives a fr ame, it classifies the frame in one of two way[...]
-
Page 150
Configuring the Switch 3-112 3 these host s, and core switches in the network, enable GVRP on the links between these devices. Y ou should also determine securit y boundaries in the network an d disable GVRP on the boundary port s to prevent advertisements from being propagated , or forbid those ports from jo ining restricted VLANs. Note: If you ha[...]
-
Page 151
VLAN Configuration 3-113 3 Enabling or Disab ling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defin es a way for switches to exchange VLAN information in order to registe r VLAN members on ports across the net work. VLANs are dynamically config ured based on join messages issued by host devices and propagat ed throughout the networ[...]
-
Page 152
Configuring the Switch 3-114 3 CLI – Enter the following command. Displaying Current VLANs The VLAN Current T able shows t he current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assign ed to a large VLAN group that crosses several switches should use VLAN tagging . However , if you just want to create a smal[...]
-
Page 153
VLAN Configuration 3-115 3 Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no lea ding zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic : Automatic ally learned via GVRP. - Static : Added as a static en try. • Name – Name of the VLAN (1 to 32 charac ters). • Status – Shows if this VLAN is ena[...]
-
Page 154
Configuring the Switch 3-116 3 Web – Click VLAN, 80 2.1Q VLAN, S tatic List. T o create a new VLAN, enter t he VLAN ID and VLAN name, mark the Enable checkbox to activa te the VLAN, and then click Add. Figure 3-64. VLAN Stat ic List - Creating VLANs CLI – This example creates a new VLAN. Adding Static Members to VLANs (VLAN Index) Use the VLAN [...]
-
Page 155
VLAN Configuration 3-117 3 Command Attributes • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Name – Name of the VLAN (1 to 32 charac ters). • Status – Enables or disables the specif ied VLAN. - Enable : VLAN is operationa l. - Disable : VLAN is suspended; i. e., does not pass packets . • Port – Port identifier. • Tr[...]
-
Page 156
Configuring the Switch 3-118 3 CLI – The following example add s tagged and unt agged port s to VLAN 2. Adding Static Members to VLANs (Port Index) Use the VLAN S tatic Membership by Port menu to assign VLAN groups to the selected interfa ce as a tagged member . Command Attributes • Interface – Port or trunk identif ier. • Member – VLANs [...]
-
Page 157
VLAN Configuration 3-119 3 Configuring VLAN Behavior for Interfaces Y ou can configure VLAN behavi or for specific in terfaces, incl uding the defaul t VLAN identifier (PVID), acce pted frame types, in gress filtering, GVRP statu s, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a wa y for switches to exchange V[...]
-
Page 158
Configuring the Switch 3-120 3 or LeaveAll message has been issued , the applicants can rejo in before the port actually lea ves the group. (Range: 60-3000 centiseconds; Defa ult: 60) • GARP LeaveAll Timer * – The interval between sending o ut a LeaveAll query message for VLAN group partic ipants and the port leav ing the group. This int erval [...]
-
Page 159
VLAN Configuration 3-121 3 CLI – This exampl e sets port 3 to accept only tagged fra mes, assigns PVID 3 as the native VLAN ID, enabl es GVRP , sets the GARP timers, and then sets t he switchport mode to hybrid. Configuring Private VLANs Private VLANs provide port-based security and isolation b etween ports within the assigned VLAN. Dat a traffic[...]
-
Page 160
Configuring the Switch 3-122 3 Configuring Uplink an d Downlink Ports Use the Private VLAN Link S tatus p age to set ports as down link or uplink port s. Ports designat ed as downlink port s can not communicate with any other ports on t he switch except for the up link ports. Upli nk ports can communi cate with any other port s on the switch and wi[...]
-
Page 161
VLAN Configuration 3-123 3 Configuring Protocol Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type – Frame type used by this protocol. (Opti ons: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option for[...]
-
Page 162
Configuring the Switch 3-124 3 - If the frame is untagged and t he protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protoco l type does not match, the fr ame is forwarded to the de fault VLAN for thi s interface. Command Attributes • Interface – Port or trunk identif ier. • Protocol Gro[...]
-
Page 163
Class of Service Conf iguration 3-125 3 Class of Service Configuration Class of Service (CoS) al lows you to spe cify which dat a packet s have greater precedence when traf fic is buffered in th e switch due to congesti on. This switch supports Co S with eight priorit y queues for each port. Dat a packets in a port’ s high-priority queu e will be[...]
-
Page 164
Configuring the Switch 3-126 3 Web – Click Priority , Default Port Priority or Defau lt T runk Priority . Modify the default priority for an y interface, then c lick Apply . Figure 3-72. Default Port Priority CLI – This example assigns a defau lt priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-125 Console(config-if)#switchport[...]
-
Page 165
Class of Service Conf iguration 3-127 3 Mapping CoS Values to Egress Que ues This switch processe s Class of Service (CoS) priority t agged traffic by usin g eight priority queues for each port, wit h service schedules based on strict or W eighted Round Robin (WRR). Up to ei ght separate traf fic priorities are defined in IEEE 802.1p. The default p[...]
-
Page 166
Configuring the Switch 3-128 3 Web – Click Priori ty , T raffic Classes. Mark an interface and click Select t o display the current mapping of Co S values to output queues . Assign prioriti es to the traf fic classes (i. e., output q ueues) for the se lected interfa ce, then click Apply . Figure 3-73. Traffic Classes CLI – The following example[...]
-
Page 167
Class of Service Conf iguration 3-129 3 Selecting the Queue Mode Y ou can set the switch to service t he queues based on a strict rule that requi res all traff ic in a high er priority queue to be processed before lower priority queues are serviced, or use W eighted Round-Robin (WRR) queuing that specifies a relat ive weight of each queue. WRR uses[...]
-
Page 168
Configuring the Switch 3-130 3 Web – Click Priority , Queue Scheduling. Select the in terface, highlight a tr affic class (i.e., outp ut queue), enter a weight, then click Apply . Figure 3-75. Queue Scheduling CLI – The following example sho ws how to assign WRR weight s to each of the priority queues. Console(config)#interface ethernet 1/1 Con[...]
-
Page 169
Class of Service Conf iguration 3-131 3 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizi ng layer 3/4 traf fic to meet application requi rements. T raffic prioriti es can be specified in the IP header of a frame, using the priority bi ts in the T ype of Service (T oS) o[...]
-
Page 170
Configuring the Switch 3-132 3 Mapping IP Precedence The T ype of Service (T oS) octet in the IPv4 header includes thre e precedence bits defining eight di fferent priority levels rangi ng fro m highest priori ty for network control packet s to lowest priority for routine traffi c. The default IP Precedence values are mapped one-to-one to Class of [...]
-
Page 171
Class of Service Conf iguration 3-133 3 CLI – The f ollowing example globally enables IP Preced ence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and t hen displays the IP Precedence settings. * Mapping speci fic values for IP Precedence is implemented as an interface configurat ion command, but any changes will a[...]
-
Page 172
Configuring the Switch 3-134 3 Web – Click Priority , IP DSCP Priority . Select an entry from the DSCP table, enter a value in the Class of Service V alue field, then cl ick Apply . Figure 3-78 . IP DSCP Pr iority CLI – The following example global ly enables DSCP Priority servic e on the switch, maps DSCP value 0 t o CoS value 1 (on port 1), a[...]
-
Page 173
Class of Service Conf iguration 3-135 3 Mapping IP Port Priority Y ou can also map network applicat ions to Class of Service values based on the IP port number (i.e., TCP/UDP port numbe r) in the frame header . Some of the more common TCP service port s include: HTTP: 80, FTP: 21, T elnet: 23 and POP3: 1 10. Command Attributes • IP Port Priori ty[...]
-
Page 174
Configuring the Switch 3-136 3 CLI – The following example global ly enables IP Port Priority service on the switch, maps HTTP traf fic on port 5 to CoS value 0, and then displays the IP Port Priority settings for t hat port. * Mapping specific values for IP Precedence is implemented as an interface configur ation command, but any changes will ap[...]
-
Page 175
Class of Service Conf iguration 3-137 3 Web – Click Priority , ACL CoS Priority . Enable mapping for any port, select an ACL from the scroll -down list, then click Ap ply . Figure 3-8 1. ACL CoS Priori ty CLI – This example assigns a CoS value of zero to p ackets mat ching rules within the specified ACL on port 24. Changing Prio rities Based on[...]
-
Page 176
Configuring the Switch 3-138 3 Command Attributes • Port – Port identifier. •N a m e * – Name of ACL. • Type – Type of ACL (IP or MAC). • Precedence – IP Precedence value. (Range: 0-7 ) • DSCP – Differentiated Services Code Point value. (Range: 0-63 ) • 802.1p Priority – Class of Service value in the IEEE 802. 1p priority ta[...]
-
Page 177
Multicast Filtering 3-139 3 Multicast Filtering Multicasting i s used to support real-time applications such as videoconf erencing or streaming audio. A multicast server doe s not have to est ablish a sep arate connection with each client. It merel y broadcasts it s service to the network, and any host s that want to receive the multicast register [...]
-
Page 178
Configuring the Switch 3-140 3 Configuring IGMP Sn ooping and Query P arameters Y ou can configure the switch to forward mul ticast traff ic intelligently . Based on the IGMP query and report messages, th e switch forwards traf fic only to the ports that request multicast tr affic. Thi s prevents the switch from broa dcasting the traffic to all por[...]
-
Page 179
Multicast Filtering 3-141 3 Web – Click IGMP Snooping, IGMP Configu ration. Adjust the IGMP settings as required, and then clic k Apply . (The default settings are shown below .) Figure 3-83 . IGMP Conf iguration CLI – This exampl e modifies the se ttings for multica st filtering, and then displays the current st atus. Console(config)#ip igmp s[...]
-
Page 180
Configuring the Switch 3-142 3 Displaying Interfaces Attached to a Multic ast Router Multicast routers th at are attached to port s on the switch use information obt ained from IGMP , along with a multicast routing prot ocol such as DVMRP or PIM, to support IP multicasti ng across the Internet. These rout ers may be dynamically discovered by the sw[...]
-
Page 181
Multicast Filtering 3-143 3 Specifying Static Interfaces for a Multicast Router Depending on your ne twork connections, IGMP snooping may not always be able to locate the IGMP qu erier . Therefore, if t he IGMP querier is a known multicast ro uter/ switch connected over the ne twork to an in terfac e (port or trunk) on your swit ch, you can manuall[...]
-
Page 182
Configuring the Switch 3-144 3 Displaying Port Members of Multicast Se rvices Y ou can display the port members associat ed with a specified VLAN and multica st service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. • Multicast IP Address – The IP address for a speci fic multicast service. • Multicast G[...]
-
Page 183
Multicast Filtering 3-145 3 Assigning Ports to Multicast Services Multicast f iltering can be dynamically configured using IGMP Sn ooping and IGMP Query messages as described in “Conf iguring IGMP Sn ooping and Query Parameters” on page 3 -140. For certain applicati ons that require ti ghter control, you may need to st atically configure a mult[...]
-
Page 184
Configuring the Switch 3-146 3 Configuring Domain Name Service The Domain Naming System (DNS) service on thi s switch allows host names to be mapped to IP addresses using st atic table entries or by redirectio n to other name servers on the network. When a client device designat es this switch as a DNS server , the client will attempt to resolv e h[...]
-
Page 185
Configuring Domain Nam e Service 3-147 3 Web – Select DNS, General Configuration. Set the def ault domain name or list of domain names, s pecify one or more name servers to us e to use for address resolution, enable domai n lookup stat us, and click Apply . Figure 3-88. DNS Gener al Configurat ion CLI - This example set s a default domain name an[...]
-
Page 186
Configuring the Switch 3-148 3 Configuring Static DNS Host to Address Entries Y ou can manually configure st atic entries in the DNS table that are use d to map domain names to IP addresses. Command Usage • Static entri es may be used for local devices connected dire ctly to the attached network, or for commonly used resources located el sewhere [...]
-
Page 187
Configuring Domain Nam e Service 3-149 3 Web – Select DNS, S tatic Host T able. Enter a host n ame and one or more corresponding addresse s, then click Apply . Figure 3-89. DNS Static Host Table CLI - This example maps two addre ss to a host name, and then confi gures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.[...]
-
Page 188
Configuring the Switch 3-150 3 Displaying the DNS Cache Y ou can display entries in th e DNS cache that have been learned via th e designated name servers. Field Attributes •N o – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefo re unreliable. • Type – This field incl ud[...]
-
Page 189
Configuring Domain Nam e Service 3-151 3 CLI - This example displays all the resour ce records learned from the desig nated name servers. Console#show dns cache 4-123 NO FLAG TYPE IP TTL DOMAIN 0 4 CNAME 207.46.134.222 51 www.microsoft.akadns.net 1 4 CNAME 207.46.134.190 51 www.microsoft.akadns.net 2 4 CNAME 207.46.134.155 51 www.microsoft.akadns.n[...]
-
Page 190
Configuring the Switch 3-152 3[...]
-
Page 191
4-1 Chapter 4: Command Line Interface This chapter descri bes how to use t he Command Line Int erface (CLI). Using the Command Line Interface Accessing the CLI When accessing the manage ment interface for the switch over a dire ct connection to the server’s console port, or via a T elnet connection, the switch can be managed by entering command k[...]
-
Page 192
Command Line Interfa ce 4-2 4 T o access the swit ch through a T elnet session, you must first set the IP address for the switch, and set the defa ult gateway if you are managin g the switch from a different IP subnet. For e xample, If your corp orate network is connected to another network outside your of fice or to the Intern et, you need to appl[...]
-
Page 193
Entering Commands 4-3 4 Entering Commands This section describes how to ent er CLI commands. Keywords and Arguments A CLI command is a series of keywords and argument s. Keywords iden tify a command, and argument s specify configurati on parameters. For examp le, in the command “show interfaces st atus ethernet 1/5,” show interfaces and st at u[...]
-
Page 194
Command Line Interfa ce 4-4 4 Showing Commands If you enter a “?” at the command prompt, the system will displa y the first level of keywords for the current command class (Normal Exec or Privil eged Exec) or configuration class (Global, ACL, I nterface, Line, VLAN Database, or MSTP). Y ou can also display a list of valid keywords for a specifi[...]
-
Page 195
Entering Commands 4-5 4 Partial Keyword Lookup If you terminat e a parti al keyword with a question mark, al ternatives that match the initial letters are provi ded. (Remember not to leave a space between th e command and question mark.) For exampl e “ s? ” shows all the keywords sta rting with “s.” Negating the Effect of Commands For many [...]
-
Page 196
Command Line Interfa ce 4-6 4 Understanding Command Modes The command set is divided int o Exec and Configurati on classes. Exec commands generally display in formation on system st atus or clear statistic al counters. Configuration comman ds, on the other hand, modi fy interface p arameters or enable certai n switching functions. These classes are[...]
-
Page 197
Entering Commands 4-7 4 Configuration Commands Configuration c ommands are privileg ed level commands used to modif y switch settings. These commands modify th e running configu ration only an d are not saved when the switch is rebooted. T o store the running configurati on in non-volatile storage, use the copy running-conf ig startup-config comman[...]
-
Page 198
Command Line Interfa ce 4-8 4 T o ente r the other modes, at the confi guration prompt type one of t he following commands. Use the exit or end command to return to the Privi leged Exec mode. For example, you can use the following commands to enter interface confi guration mode, and then return to Priv ileged Exec mode Table 4-2. Configur ation Com[...]
-
Page 199
Entering Commands 4-9 4 Command Line Processing Commands are not case sensitive . Y ou can abbreviate commands and p arameters as long as t hey conta in enough lett ers to dif ferentiate them from any other currently available comman ds or p arameters. Y ou can us e the T ab key to complete p artial commands, or enter a p artial command followed by[...]
-
Page 200
Command Line Interfa ce 4-10 4 Command Groups The system commands can be broken down into the functional group s shown below . Table 4-4. Command Group Index Command Group Description Page Line Sets communication parameters fo r the serial port and T elnet, including baud rate and console time-out 4-1 1 General Basic commands for entering priv ileg[...]
-
Page 201
Line Comma nds 4-11 4 The access mode shown in the followi ng tables is in dicated by these abbreviat ions: NE (Normal Exec) IC (Interface Configuration) PE (Privileged Exec) LC (Line Configuration) GC (Global Configuratio n) VC (VLAN Database Co nfiguration) ACL (Access Control List Configu ration) MST (Multiple S panning T ree) Line Commands Y ou[...]
-
Page 202
Command Line Interfa ce 4-12 4 line This command identif ies a specific li ne for configuration, and t o process subsequent line configu ration commands. Syntax line { console | vty } • console - Console termina l line. • vty - Virtual terminal for remot e console access (i.e., Te lnet). Default Setting There is no default line . Command Mode G[...]
-
Page 203
Line Comma nds 4-13 4 Command Usage • There are three authent ication modes provided by the swit ch itself at login : - login selects authentication by a single global password as speci fied by the password line configuratio n command. When using this method, the management interface start s in Normal Exec (NE) mode. - login local selects authent[...]
-
Page 204
Command Line Interfa ce 4-14 4 number of times a user can e nter an incorrec t password b efore the sys tem terminates the line connecti on and returns t he terminal to the idle st ate. • The encrypted password is required for compat ibility with legacy pass word settings (i. e., plain text or encrypt ed) when reading th e configuration file duri[...]
-
Page 205
Line Comma nds 4-15 4 password-thresh This command sets th e password intrusion threshold which limit s the number of failed logo n attempts. Use the no form to remove the threshold val ue. Syntax p assword-thresh [ threshol d ] no password-thresh threshold - The number of allowed password attempts. (Range: 1- 120; 0: no threshold) Default Setting [...]
-
Page 206
Command Line Interfa ce 4-16 4 Example T o set t he silent time to 60 seconds , enter this command: Related Commands password-thresh (4-15) databits This command sets th e number of data bit s per character that are interpreted and generated by the console port. Use the no form to restore the def ault value. Syntax da ta b i ts { 7 | 8 } no dat abi[...]
-
Page 207
Line Comma nds 4-17 4 parity This command defi nes the genera tion of a p arity bit. Use the no form to restore the default setti ng. Syntax pa ri t y { none | even | odd } no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocol s provi[...]
-
Page 208
Command Line Interfa ce 4-18 4 Command Usage Set the speed to match the baud rate of the device conn ected to the serial port. Some baud rates available on devi ces connected to the port might not b e supported. The system indica tes i f the speed you select ed is no t supported. If you select the “auto ” option, the switch wil l automatically [...]
-
Page 209
Line Comma nds 4-19 4 Command Usage S pecifying session identifie r “0” will disconnect the console connection. S pecifying any other i dentifiers fo r an active session will d isconnect an SSH o r T elnet conn ection. Example Related Commands show ssh (4-41) show users (4-61) show line This command displays the te rminal line’ s parameters. [...]
-
Page 210
Command Line Interfa ce 4-20 4 General Commands enable This command activates Pri vileged Exec mode. In privileged mode , additional commands are avail able, and cert ain commands display addi tional informati on. See “Understandin g Command Modes” on page 4-6. Syntax enable [ level ] level - Privilege level to log into the device. The device h[...]
-
Page 211
General Comma nds 4-21 4 Example Related Commands disable (4-21) enable password (4-27) disable This command returns to Normal Exec mode f rom privileged mod e. In normal access mode, you can only d isplay basic informatio n on the switch's configura tion or Ethernet st atistics. T o gain access to all commands, yo u must use the privileged mo[...]
-
Page 212
Command Line Interfa ce 4-22 4 Related Commands end (4-23) show hist ory This command shows the content s of the co mmand history buf fer . Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage The history buf fer size is fixed at 10 Execu tion commands and 10 Configuration commands. Example In this example, th e show histor[...]
-
Page 213
General Comma nds 4-23 4 Command Mode Privileged Exec Command Usage This command resets the en tire system. Example This example shows how to reset the switc h: end This command returns to Privileged Ex ec mode. Default Setting None Command Mode Global Configurat ion, Interface Configurat ion, Line Configuration , VLAN Database Co nfiguration, and [...]
-
Page 214
Command Line Interfa ce 4-24 4 quit This command exit s the configuration program. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage The quit and exit commands can both exit the configuratio n program. Example This example shows how to quit a CLI session: System Management Commands These commands are used to control syst[...]
-
Page 215
System Management Commands 4-25 4 Device Designation Commands prompt This command customi zes the CLI promp t. Use the no form to restore the default prompt. Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting Console Command Mode Global Configurat ion Example h[...]
-
Page 216
Command Line Interfa ce 4-26 4 Example User Access Commands The basic commands required fo r management access are li sted in this section. This switch also includes other options for pa ssword checking via the console or a T elne t connection (page 4-1 1), user authenti cation via a remote authenti cation server (pa ge 4-68), and host access authe[...]
-
Page 217
System Management Commands 4-27 4 Command Mode Global Configurat ion Command Usage The encrypted p assword is required for compat ibility wit h legacy pas sword settings (i.e., pl ain text or encrypted) wh en reading the configu ration file during system bootup or when d ownloading the conf iguration file from a TFTP server . There is no need for y[...]
-
Page 218
Command Line Interfa ce 4-28 4 Example Related Commands enable (4-20) IP Filter Commands management This command specif ies the cli ent IP addresses that are all owed management access to the switch through vario us protocols. Use th e no form to restore the default setti ng. Syntax [ no ] management { al l-client | http-client | snmp-client | teln[...]
-
Page 219
System Management Commands 4-29 4 • When entering addresses for the same group (i. e., SNMP, Web or Telnet), the switch will not accept ove rlapping address ra nges. When entering addresses for different groups, the switch will accept overlapping address range s. • You cannot delete an i ndividual address from a specif ied range. You must delet[...]
-
Page 220
Command Line Interfa ce 4-30 4 Web Server Commands ip http port This command specifies the TCP port number used by t he Web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting 80 Command Mode Globa[...]
-
Page 221
System Management Commands 4-31 4 Example Related Commands ip http port (4 -30) ip http secure-server This command enables the secure hype rtext transfer protoco l (HTTPS) over the Secure Socket Layer (SSL), providing se cure access (i.e., an encrypt ed connection) to the switch’ s Web interface. Use the no form to disable this funct ion. Syntax [...]
-
Page 222
Command Line Interfa ce 4-32 4 Example Related Commands ip http secure-port (4 -32) copy tf tp https-certificate (4-63) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’ s Web interface. Use the no form to restore the def ault port. Syntax ip http secure- port port_number no ip http secure[...]
-
Page 223
System Management Commands 4-33 4 Telnet Server Commands ip telnet port This command specifi es the TCP port number used by the T elnet interface. Use the no form to use the default port . Syntax ip telnet port port-number no ip telnet port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting 23 Command M[...]
-
Page 224
Command Line Interfa ce 4-34 4 Related Commands ip telnet port (4 -33) Secure Shell Commands The Berkley-st andard includes remote acces s tools originally desi gned for Unix systems. Some of these tool s have also been implemented for Micros oft Windows and other envi ronments. These tools, incl uding commands such as rlogin (remote login), rsh (r[...]
-
Page 225
System Management Commands 4-35 4 The SSH server on this switch suppo rts both p assword and publi c key authenticati on. If p assword authenticat ion is specif ied by the SSH client, then the password can be authe nticated either locall y or via a RADIUS or T ACACS+ remote authenticati on server , as specified by the authentication login command o[...]
-
Page 226
Command Line Interfa ce 4-36 4 corresponding t o the publ ic keys stored o n the switch ca n gain access. The following exch anges take place during thi s process: a. The client sends it s public key to the switc h. b. The switch compar es the client's public key to th ose stored in memory . c. If a match is found, the swit ch uses the public [...]
-
Page 227
System Management Commands 4-37 4 ip ssh timeout Use this command to configur e the timeout for the SSH server . Use the no form to restore the default sett ing. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1- 120) Default Setting 10 seconds Command Mode Global Configura[...]
-
Page 228
Command Line Interfa ce 4-38 4 Example Related Commands show ip ssh (4-40) ip ssh server-key size Use this command to set the SSH serv er key size. Use the no form to restor e the default setti ng. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server k ey . (Range: 512-896 bits) Default Setting 768 bits C[...]
-
Page 229
System Management Commands 4-39 4 Example ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [ dsa | rsa ] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) ke y type. Default Setting Generates both the DSA and RSA key p airs. Command Mode[...]
-
Page 230
Command Line Interfa ce 4-40 4 Command Mode Privileged Exec Command Usage • This command clears the host key from vol atile memory (RAM). Use the no ip ssh save host-key command to clear the host key from f lash memory. • The SSH server must be disabl ed before you can execute thi s command. Example Related Commands ip ssh crypto host-key gener[...]
-
Page 231
System Management Commands 4-41 4 Example show ssh Use this command to display the current SSH server connections. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# Console#show ssh Connection Version State Username Encrypti[...]
-
Page 232
Command Line Interfa ce 4-42 4 show public-key Use this command to show the public key f or the specified user or for the host. Syntax show public-key [ user [ username ]| host ] username – Name of an SSH user . (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no para meters are ente[...]
-
Page 233
System Management Commands 4-43 4 Event Logging Commands logging on This command controls logging of error messag es, sending debug or error messages to switch memory . The no form disables the l ogging process. Syntax [ no ] logging on Default Setting None Command Mode Global Configurat ion Command Usage The logging process control s error message[...]
-
Page 234
Command Line Interfa ce 4-44 4 logging history This command limi ts syslog messages saved t o switch memory based on severity . The no form return s the logging of syslog messag es to the default level . Syntax logging histo ry { flash | ram } level no logging history { flash | ram } • flash - Event hist ory stored in flash memory (i.e., p ermane[...]
-
Page 235
System Management Commands 4-45 4 logging ho st This command adds a syslog server host IP address that will receive l ogging messages. Use the no form to remove a syslog server host. Syntax [ no ] logging host host_ip_address host_ip_address - The IP address of a syslog server . Default Setting None Command Mode Global Configurat ion Command Usage [...]
-
Page 236
Command Line Interfa ce 4-46 4 logging tra p This command enables th e logging of system messages to a remote server , or limits the syslog messages saved to a remote server based on seve rity . Use this command without a specif ied level to enable re mote logging. Use the no form to disable remote loggi ng. Syntax logging trap [ le vel ] no loggin[...]
-
Page 237
System Management Commands 4-47 4 Related Commands show logging (4-47) show logging This command displays the log ging configuration , along with any system and event messages stored i n memory . Syntax show logging { flash | ram | sendmail | trap } • flash - Event hist ory stored in flash memory (i.e., p ermanent memory). • ram - Event history[...]
-
Page 238
Command Line Interfa ce 4-48 4 The following example dis plays settings for the tr ap function. Related Commands show logging s endmail (4-51) SMTP Alert Commands These commands configure SMTP event handl ing, and forwarding of alert messages to th e specified SMTP se rvers and email recipient s. Console#show logging trap Syslog logging: Enable REM[...]
-
Page 239
System Management Commands 4-49 4 logging sendmail ho st This command specif ies SMTP servers that wi ll be sent al ert messages. Use the no form to remove an SMTP server . Syntax [ no ] logging sen dmail hos t ip_address ip_address - IP address of an SMTP serve r that will be sent alert messages for event handling. Default Setting None Command Mod[...]
-
Page 240
Command Line Interfa ce 4-50 4 Command Usage The specified level i ndicates an event threshold . All events at thi s level or higher will be sent to the con figured email recipient s. (For example, using Level 7 will report all event s from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0. lo[...]
-
Page 241
System Management Commands 4-51 4 Command Usage Y ou can specify up to five rec ipients f or alert messages. Howev er , you must enter a sep arate command to specify each recipient. Example logging s endmail This command enables SMTP event hand ling. Use the no form to disable this function. Syntax [ no ] logging se ndmail Default Setting Disabled [...]
-
Page 242
Command Line Interfa ce 4-52 4 Time Commands The system clock can be dynamically set by polli ng a set of specified time servers (NTP or SNTP), or by using information broadcast by local time servers. sntp client This command enables SNTP client requests for time syn chronization from NTP or SNTP time servers specified wit h the sntp serve rs comma[...]
-
Page 243
System Management Commands 4-53 4 Example Related Commands sntp server (4-53) sntp poll (4 -54) show sntp (4-54) sntp server This command sets th e IP address of the se rvers to which SNTP time request s are issued. Use the this comman d with no argument s to clear all time servers from the current list. Syntax sntp server [ ip1 [ ip2 [ ip3 ]]] ip [...]
-
Page 244
Command Line Interfa ce 4-54 4 sntp poll This command sets th e interval between sending time request s when the switch is set to SN TP client mod e. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global Conf[...]
-
Page 245
System Management Commands 4-55 4 clock timezone This command sets th e time zone for the switch’ s internal clock. Syntax clock timezone name hour hours mi nute minutes { before-utc | after-utc } • name - Name of timezone, usua lly an acronym. (Range: 1-29 charac ters) • hours - Number of hours before/after UTC. (Range: 0-12 hours) • minut[...]
-
Page 246
Command Line Interfa ce 4-56 4 Default Setting None Command Mode Privileged Exec Example This example shows how to set the syste m clock to 15:12:34, Febru ary 1st, 2004. show calend ar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileg ed Exec Example Console#calendar set 15 12 34 1 Februar y 2004 Conso[...]
-
Page 247
System Management Commands 4-57 4 System Status Commands show startu p-config This command displays the config uration file stored in non-vol atile memory that is used to st art up the system. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conju nction with the show ru nning-conf ig command to compare the in[...]
-
Page 248
Command Line Interfa ce 4-58 4 Example Related Commands show running-confi g (4-58) show running-con fig This command displays the conf iguration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjuncti on with the show startup-config command to compare the inf ormation in runni[...]
-
Page 249
System Management Commands 4-59 4 - VLAN configuration settings for each interf ace - Multiple spanning tree instance s (name and interface s) - IP address configured for VLANs - Spanning tree setting s - Any configured settings for the console port and Telnet Example Console#show running-config building running-config, please wait... .. ! phymap 0[...]
-
Page 250
Command Line Interfa ce 4-60 4 Related Commands show startup-con fig (4-57) show system This command displays system info rmation. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage • For a description of the items shown by this command, refer to “Displayi ng System Information” on page 3-9. • The POST results sho[...]
-
Page 251
System Management Commands 4-61 4 show users Shows all active console and T elnet session s, including user name, idle time, and IP address of T elnet client. Default Setting None Command Mode Normal Exec, Privileg ed Exec Command Usage The session used to execute this command is indicat ed by a “*” symbol n ext to the Line (i.e., sessi on) ind[...]
-
Page 252
Command Line Interfa ce 4-62 4 Example Frame Size Commands jumbo frame This command enables suppo rt for jumbo frames. Use the no form to disable it. Syntax [ no ] jumbo frame Default Setting Disabled Command Mode Global Configurat ion Command Usage • This switch p rovides more effi cient throughput for large sequen tial data transfers by support[...]
-
Page 253
Flash/File Co mmands 4-63 4 Example Flash/File Commands These commands are used to manage th e system code or configuration files. copy This command moves (upload/downl oad) a code image or configuration file between the swi tch’s f lash memory and a TFTP server . When you sav e the system code or configuration set tings to a file on a TFTP serve[...]
-
Page 254
Command Line Interfa ce 4-64 4 Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destinatio n file name should not contain slashes ( or / ), the leading lett er of the file name shoul d not be a period (.), and the maximum len gth for file names on the TFTP server is 127 chara[...]
-
Page 255
Flash/File Co mmands 4-65 4 The following example shows how to do wnload a configura tion file: This example shows how to copy a secure-site certificate from an TFTP server . It then reboot s the switch to activate the certif icate: This example shows how to copy a public-ke y used by SSH from an TFTP server . Note that public key authen tication v[...]
-
Page 256
Command Line Interfa ce 4-66 4 Command Usage • If the file type is used for system startup, then thi s file cannot be delet ed. • “Factory_Default_Con fig.cfg” cannot be delete d. Example This example shows how t o delete the test2.cf g configuration fi le from flash memory . Related Commands dir (4-6 6) delete public-key (4-38) dir This co[...]
-
Page 257
Flash/File Co mmands 4-67 4 Example The following example shows how to di splay all file informat ion: whichboo t This command displ ays which files were booted when t he system powere d up. Default Setting None Command Mode Privileged Exec Example This example shows the informat ion displayed by the whichboot command. See the tabl e under the dir [...]
-
Page 258
Command Line Interfa ce 4-68 4 Default Setting None Command Mode Global Configurat ion Command Usage • A colon (:) is required after th e specified file type. • If the file c ontains an error, it cannot be set as the defa ult file. Example Related Commands dir (4-6 6) whichboot (4-67) Authentication Commands Y ou can configure this switch to au[...]
-
Page 259
Authentication Commands 4-69 4 Authentication Sequence authentication login This command define s the login authent ication method and precedence. Use t he no form to restore the default. Syntax authentication log in {[ local ] [ radi us ] [ t acacs ]} no authentication login • local - Use local password. • radius - Use RADIUS server password. [...]
-
Page 260
Command Line Interfa ce 4-70 4 authenticatio n enable This command defines the authent ication method and prece dence to use when changing from Exec command mode to Priv ileged Exec command mode with the enable command (see page 4- 20). Use the no form to restore t he defaul t. Syntax authentication enable {[ local ] [ radius ] [ taca cs ]} no auth[...]
-
Page 261
Authentication Commands 4-71 4 RADIUS Client Remote Authent ication Dial-in User Service (RADIUS) is a l ogon authentic ation protocol that uses sof tware running on a central server to control access to RADIUS-aware devices on the network. An aut hentication server c ontains a database of multiple user name/p assword pairs with associated privil e[...]
-
Page 262
Command Line Interfa ce 4-72 4 Default Setting 1812 Command Mode Global Configurat ion Example radius-server key This command sets th e RADIUS encryption key . Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate log on access for client. Do not use blank s[...]
-
Page 263
Authentication Commands 4-73 4 Example radius-server timeout This command sets th e interval between tran smitting authent ication requests to the RADIUS server . Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the s witch waits for a reply before [...]
-
Page 264
Command Line Interfa ce 4-74 4 TACACS+ Client T erminal Access Cont roller Access Control System (T ACACS+) is a logon authenticati on protocol that uses sof tware running on a central server to con trol access to T ACACS-aware devices on the network. An authenti cation server contain s a databa se of multiple us er name/password pairs wit h associ[...]
-
Page 265
Authentication Commands 4-75 4 Command Mode Global Configurat ion Example tacacs-server key This command sets th e T ACACS+ encryption key . Use the no form to restore th e default. Syntax t acacs-server key key_string no t acacs-server key key_string - Encryption key used to authenticate log on access for the client. Do not use blank spaces in the[...]
-
Page 266
Command Line Interfa ce 4-76 4 Port Security Commands These commands can be used to enable port securi ty on a port. When using port security , the switch stops learning new MAC addresses on the specified port when it has reached a co nfigured maximum nu mber . Only incoming t raffic with source addresses already s t ored in the dynamic or s tatic [...]
-
Page 267
Authentication Commands 4-77 4 Command Usage • If you enable po rt security, th e switch stop s learning new MAC add resses on the specified port when it has reached a configured maximum number. Only incoming traffi c with source addresses al ready stored in th e dynamic or static address table wi ll be accepted . • First use th e port security[...]
-
Page 268
Command Line Interfa ce 4-78 4 802.1x Port Authentication The switch supports IEEE 802.1x (dot1x) port-based acces s control that prevent s unauthorized access to the network by requiring users to first submi t credentials for authenticati on. Client authenti cation is controlled cent rally by a RADIUS server using EAP (Extensible Aut hentication P[...]
-
Page 269
Authentication Commands 4-79 4 dot1x default This command sets al l configurable dot1x global and port settings to their def ault values. Syntax dot1x default Command Mode Global Configurat ion Example dot1x max-req This command sets th e maximum number of times the switch port will ret ransmit an EAP request/identity p acket to the client before i[...]
-
Page 270
Command Line Interfa ce 4-80 4 dot1x port-control This command sets th e dot1x mode on a port interface. Use the no form to r estore the default. Syntax dot1x port-control { auto | force-authorized | force-unauthorized } no dot1x port-control • auto – Requires a dot1x-aware conne cted client to be autho rized by the RADIUS server. Clien ts that[...]
-
Page 271
Authentication Commands 4-81 4 Command Usage • The “max-count” paramete r specified by this command is onl y effective if the dot1x mode is set to “auto” by th e dot1x port-contro l command (page 4-105). • In “multi-host” mode, onl y one host connected to a port needs to pa ss authenticati on for all other hosts to be granted networ[...]
-
Page 272
Command Line Interfa ce 4-82 4 dot1x timeout quiet-period This command sets th e time that a switch port wait s after the Max Request Count has been exc eeded before att empting to ac quire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-perio d seconds no dot1x time out quiet-per iod seconds - The number of seconds. [...]
-
Page 273
Authentication Commands 4-83 4 dot1x timeout tx-period This command sets the time tha t the switch wait s during an authenticat ion session before re-transmi tting an EAP packet . Use the no f orm to reset to the defau lt value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-p eriod seconds - The number of seconds. (Range: 1-65535) Defa[...]
-
Page 274
Command Line Interfa ce 4-84 4 (page 4-79). It also dis plays the follow in g global parameters which are set to a fixed value, inc luding the followin g items: - supp-timeout – Supplicant timeout. - server-timeout – Server timeout. - reauth-max – Maximum number of reauthenti cation attempts. • 802.1X Port Summa ry – Displays the port acc[...]
-
Page 275
Authentication Commands 4-85 4 Example Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period: 3600 quiet-period: 60 tx-period: 30 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2 802.1X Port Summary Port Name Status Operation Mode Mode Authorized 1/1 disabled Single- Host ForceAuthorized n/a 1/2 disabled Single- [...]
-
Page 276
Command Line Interfa ce 4-86 4 Access Control List Commands Access Control List s (ACL) provide packet fi ltering for IP frames (based on address, protocol, Layer 4 protocol port nu mber or TCP control code) or any frames (based on MAC address or Ethernet type). To filt er packets, firs t create an access list, add the required rules, specify a mas[...]
-
Page 277
Access Contro l List Comm ands 4-87 4 3. User-defined rules in the Ingress MAC ACL fo r ingress ports. 4. User-defined rules in the In gress IP ACL for ingress port s. 5. Explicit defa ult rule (permi t any any) in the ingress IP ACL for ingress ports. 6. Explicit default rule (permit any any) in the ingress MAC ACL for in gress ports. 7. If no exp[...]
-
Page 278
Command Line Interfa ce 4-88 4 access-list ip This command adds an IP access list and enters configuratio n mode for st andard or extended IP ACLs. Us e the no form to remove the specifie d ACL. Syntax [ no ] access-li st ip { standard | extended } acl_name • standard – Specif ies an ACL that filters packets based on the so urce IP address. •[...]
-
Page 279
Access Contro l List Comm ands 4-89 4 permit , deny (Standard ACL) This command adds a rule to a S tandard IP ACL. The rule sets a filter conditio n for packet s emanating from the specified source. Us e the no form to remove a rule. Syntax [ no ] { permit | deny } { any | source bitmask | host source } • any – Any source IP address. • source[...]
-
Page 280
Command Line Interfa ce 4-90 4 permit , deny (Extende d ACL) This command adds a rule to an Extende d IP ACL. The rule sets a filt er condition for packet s with specific source or destinatio n IP addresses, protocol types, source or destination prot ocol ports, or TCP control codes. Use the no form to remove a r ule. Syntax [ no ] { permit | deny [...]
-
Page 281
Access Contro l List Comm ands 4-91 4 Command Usage • All new rules are appended to the end of the list. • Address bitmasks are simi lar to a subnet mask, containing four inte gers from 0 to 255, each s eparated by a period. The binary mask uses 1 bits to indi cate “match” and 0 bits to indica te “ignore.” The bitmask is bi twise ANDed [...]
-
Page 282
Command Line Interfa ce 4-92 4 Related Commands access-list ip (4-88) show ip access-list This command displays the ru les for configured IP ACLs. Syntax show ip access-list { st andard | extended } [ acl_name ] • standard – Specifies a stand ard IP ACL. • extended – Specifies an extend ed IP ACL. • acl_name – Name of the ACL. (Maximum [...]
-
Page 283
Access Contro l List Comm ands 4-93 4 Command Usage • A mask can onl y be used by al l ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied t o a packet is not determined by order of the rul es, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is appli ed to a pac[...]
-
Page 284
Command Line Interfa ce 4-94 4 Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The o rder in which these pa ckets are checked is det ermined by the mask, and not the order in whic h the ACL rules were entered. • First create the requir ed ACLs and ingress or egre [...]
-
Page 285
Access Contro l List Comm ands 4-95 4 This shows how to create a standard ACL wit h an ingress mask to deny access to the IP host 171.69.198 .102, and permit access to any others. This shows how to create an extended ACL wit h an egress mask to drop packet s leaving network 171.69.198.0 when t he Layer 4 source port is 23. Console(config)#access-li[...]
-
Page 286
Command Line Interfa ce 4-96 4 This is a more comprehensive example. It denies any TCP packet s in which the SYN bit is ON, and permit s all other packet s. It then sets th e ingress mask to check the deny rule first, and fin ally binds port 1 to this ACL. No te that once the ACL is bound to an interface (i.e. , the ACL is active), the order i n wh[...]
-
Page 287
Access Contro l List Comm ands 4-97 4 Related Commands mask (IP ACL) (4-93) ip access-group This command binds a port to an IP ACL. Use the no form to r emove the p ort. Syntax [ no ] ip access-group acl_name { in | out } • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this l ist applies to ingress pac ke[...]
-
Page 288
Command Line Interfa ce 4-98 4 Related Commands ip access-group (4-97) map access-list ip This command sets th e output queue for packet s matching an ACL rule. The specified CoS value i s only used to map the matching p acket to an output queue; it is not writt en to the p acket itself. Use the no form to remove the CoS mappi ng. Syntax [ no ] map[...]
-
Page 289
Access Contro l List Comm ands 4-99 4 show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determin es the output queue for p ackets matching an ACL rule.) Syntax show map access-list ip [ interf ace ] interface • ethernet unit / port - unit - This is device 1 . - port - Port numbe[...]
-
Page 290
Command Line Interfa ce 4-100 4 Command Usage • You must configure an ACL mask before you ca n change frame priorities based on an ACL rule. • Traffic priori ties may be included in the IEEE 802.1p priority tag. This tag is also incorporat ed as part of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority keywor ds. [...]
-
Page 291
Access Contro l List Comm ands 4-101 4 MAC ACLs access-list mac This command adds a MAC access list and enters MAC ACL confi guration mode. Use the no form to remove the specified ACL. Syntax [ no ] access-li st mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configurat ion Command[...]
-
Page 292
Command Line Interfa ce 4-102 4 Example Related Commands permit, deny 4-102 mac access-g roup (4-107) show mac access-l ist (4-103) permit , deny (MAC ACL) This command adds a rule to a MAC ACL. The rul e filters p ackets matching a specified MAC source or destinatio n address (i.e., physical layer address), or Ethernet protocol ty pe. Use the no f[...]
-
Page 293
Access Contro l List Comm ands 4-103 4 • destination – De stination MAC address range wi th bitmask. • address- bitmask* – Bitmask for MAC address (in hexidecimal format). • vid – VLAN ID. (Range: 1-4095) • vid-bitmask* – VLAN bitmask. (Range: 1-4095) • protocol – A specific Ethernet protocol number. (Range: 600 -fff hex.) • p[...]
-
Page 294
Command Line Interfa ce 4-104 4 Example Related Commands permit, deny 4-102 mac access-g roup (4-107) access-list mac mask-pr ecedence This command changes to MAC Mask mode used to con figure access control masks. Use the no form to delet e the mask t able. Syntax [ no ] access-li st ip mask-precedence { in | out } • in – Ingress mask for ingre[...]
-
Page 295
Access Contro l List Comm ands 4-105 4 mask (MAC ACL) This command defines a mask f or MAC ACLs. This mask defines the field s to check in the p acket header . Use the no form to remove a mask. Syntax [ no ] mask [ pktformat ] { any | host | source-bitmask } { any | host | destination-bitmask } [ vid [ vid-bitmask ]] [ ethertype [ ethertype-bitmask[...]
-
Page 296
Command Line Interfa ce 4-106 4 Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. This example creates an Egre ss MAC ACL. Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth 2 00[...]
-
Page 297
Access Contro l List Comm ands 4-107 4 show access-list mac m ask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [ in | out ] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precede nce for egress ACLs. Command Mode Privileged Exec Example Related[...]
-
Page 298
Command Line Interfa ce 4-108 4 Related Commands show mac access-l ist (4-103) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Related Commands mac access-g roup (4-107) map access-list mac This command sets th e output queue for packet s matching an ACL rule. The specified CoS value i s[...]
-
Page 299
Access Contro l List Comm ands 4-109 4 Example Related Commands queue cos-map (4-194) show map access-list mac (4-109) show map access-list mac This command shows the CoS value mapp ed to a MAC ACL for the current interface. (The Co S value determines the out put queue for packet s matching an ACL rule.) Syntax show map access-list mac [ interface [...]
-
Page 300
Command Line Interfa ce 4-110 4 match access-list mac This command changes the IEEE 802.1p pri ority of a Layer 2 frame matching the defined ACL rul e. (This feature is commonly referred to as ACL p acket marking.) Use the no form to remove the ACL marker . Syntax match access-lis t mac acl_name set priority priority no match access-list mac acl_na[...]
-
Page 301
Access Contro l List Comm ands 4-111 4 ACL Information show access-list This command shows all ACLs and associated rules, as well a s all the us er-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interf ace (i.e., the ACL is active), t he order in which the rules are disp layed is determined by th e associated [...]
-
Page 302
Command Line Interfa ce 4-112 4 SNMP Commands Controls access to thi s switch from management st ations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. snmp-server community This command defines the commun ity access string for the Simple Network Management Proto col. Use the no form to re move[...]
-
Page 303
SNMP Commands 4-113 4 Example snmp-server contact This command set s the system contact string. Use the no form to remove th e system cont act informati on. Syntax snmp-server cont act string no snmp-server cont act string - S tring that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode Glo[...]
-
Page 304
Command Line Interfa ce 4-114 4 Related Commands snmp-server contact (4-1 13) snmp-server host This command specifies the recipient of a Simple Ne twork Management Protocol notificati on operation. Use t he no form to remove the sp ecified host. Syntax snmp-server host host-addr community-string [ version { 1 | 2c }] no snmp-server host host-addr ?[...]
-
Page 305
SNMP Commands 4-115 4 Related Commands snmp-server enable trap s (4-1 15) snmp-server enable traps This command enables this device to send Simple Ne twork Management Protocol traps (SNMP no tifications). Use the no form to di sable SNMP notificati ons. Syntax [ no ] snmp-serve r enable t raps [ authentication | link-up-down ] • authentication - [...]
-
Page 306
Command Line Interfa ce 4-116 4 Command Usage This command provides information on the community access st rings, counter information for SNMP input and output protocol dat a units, and whether or not SNMP logging has been enable d with the snmp-server enable trap s command. Example Console#show snmp System Contact: Paul System Location: WC-19 SNMP[...]
-
Page 307
DNS Commands 4-117 4 DNS Commands These commands are used to configure Domain Na ming System (DNS) services. Y ou can manually c onfigure entries in the DNS domai n name to IP address mapping table, configure default domai n names, or specify one or more name servers t o use for domain name to address transl ation. Note that domain name s ervices w[...]
-
Page 308
Command Line Interfa ce 4-118 4 Command Usage Servers or other network devices may support one or more connections via multiple IP addre sses. If more than one IP address i s associated with a host name using this command, a DNS client can try each addre ss in succession, until it est ablishes a connection with the targ et device. Example This exam[...]
-
Page 309
DNS Commands 4-119 4 Default Setting None Command Mode Global Configurat ion Example Related Commands ip domain-list (4-1 19) ip name-server (4-120) ip domain-lookup (4-1 21) ip domain-list This command defines a list of domain names that can be appended to i ncomplete host names (i.e., hos t names passed from a cli ent that are not format ted with[...]
-
Page 310
Command Line Interfa ce 4-120 4 Example This example adds two domain names to the current list and then dis plays the list. Related Commands ip domain-name (4-1 18) ip name-server This command specifies the address of one or more domain name s ervers to use for name-to-address reso lution. Use the no fo rm to remove a name server from thi s list. S[...]
-
Page 311
DNS Commands 4-121 4 Example This example adds two domain-name serve rs to the list and then displ ays the list. Related Commands ip domain-name (4-1 18) ip domain-lookup (4-1 21) ip domain-looku p This command enables DNS ho st name-to-address transl ation. Use the no form to disable DNS. Syntax [ no ] ip domain-look up Default Setting Disabled Co[...]
-
Page 312
Command Line Interfa ce 4-122 4 Example This example enables DNS and then di splays the configuration . Related Commands ip domain-name (4-1 18) ip name-server (4-120) show hosts This command displays the st atic host name-to-address mappi ng table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is ma[...]
-
Page 313
DNS Commands 4-123 4 show dns This command displays the config uration of the DNS server . Command Mode Privileged Exec Example show dns cache This command displays entrie s in the DNS cache. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample[...]
-
Page 314
Command Line Interfa ce 4-124 4 clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache NO FLAG TYPE IP TTL DOMAIN Console#[...]
-
Page 315
Interface Commands 4-125 4 Interface Commands These commands are used to display or set co mmunication para meters for an Ethernet port, aggregate d link, or VLAN. interface This command configures an in terface type and enter interface configuration mode . Use the no form to remove a trunk. Syntax interface interface no interface port-cha nnel cha[...]
-
Page 316
Command Line Interfa ce 4-126 4 Command Mode Global Configuration Example T o speci fy port 24, enter t he following command: description This command adds a description t o an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a d escription to help you remember what is attached to th[...]
-
Page 317
Interface Commands 4-127 4 Default Setting • Auto-negotiat ion is enabled by default. • When auto-negoti ation is disabl ed, the default speed-duplex setti ng is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Command Usage • To force operation to the speed[...]
-
Page 318
Command Line Interfa ce 4-128 4 • If autonegoti ation is disabled, au to-MDI/MDI-X pin signal confi guration will also be disab led for the RJ-45 ports. Example The following example conf igures port 1 1 to use autonegotiation. Related Commands capabili ties (4-128) speed-duplex (4 -126) capabilities This command advertises the port capabilit ies[...]
-
Page 319
Interface Commands 4-129 4 Example The following example configures Etherne t port 5 cap abilities to 10 0half, 100full and flow cont rol. Related Commands negotiation (4-127 ) speed-duplex (4 -126) flowcontrol (4-129 ) flowcontrol This command enable s flow control. Use the no form to disable flow control. Syntax [ no ] flowcontrol Default Setting[...]
-
Page 320
Command Line Interfa ce 4-130 4 Example The following example enab les flow control on port 5. Related Commands negotiation (4-127 ) capabili ties (flowcontrol, symmet ric) (4-128) combo-forced-mode This command forces the port type selecte d for combination port s 21-24/45-48. Use the no form to restore the def ault mode. Syntax combo-forced-mode [...]
-
Page 321
Interface Commands 4-131 4 Default Setting All interfaces are enabled. Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Command Usage This command all ows you to disa ble a port du e to abnormal b ehavior (e.g., excessive collisions), and then reenabl e it after the probl em has been resolved. Y ou may also want to disable a port fo[...]
-
Page 322
Command Line Interfa ce 4-132 4 Example The following s hows how to configure broad cast storm cont rol at 600 p ackets per second: clear counters This command clears statist ics on an interf ace. Syntax clear counters interface interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nnel channel-id (Range [...]
-
Page 323
Interface Commands 4-133 4 show interfaces status This command displays the st atus for an interface. Syntax show interfaces sta tus [ interface ] interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nnel channel-id (Range : 1-6) • vlan vlan-id (Range: 1-4094) Default Setting Shows the statu s for all [...]
-
Page 324
Command Line Interfa ce 4-134 4 show interfaces counters This command displays inte rface statistics. Syntax show interfaces counters [ interface ] interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nnel channel-id (Range : 1-6) Default Setting Shows the counters for all interf aces. Command Mode Norma[...]
-
Page 325
Interface Commands 4-135 4 show interfaces switchport This command displays the admi nistrative and opera tional status of the specified interface s. Syntax show interfaces switchport [ interface ] interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nnel channel-id (Range : 1-6) Default Setting Shows al[...]
-
Page 326
Command Line Interfa ce 4-136 4 Mirror Port Commands This section describes how to mirror traf fic from a source port to a target port. port monitor This command configures a mirror sess ion. Use the no form to clear a mirror session. Syntax port monitor in terface [ rx | tx | both ] no port monit or interface • interface - ethernet unit / port ([...]
-
Page 327
Mirror Port Commands 4-137 4 Command Usage • You can mirror traffic from any source port to a destinati on port for real-time analysis. Yo u can then attach a logic anal yzer or RMON probe to the destination po rt and study the traf fic crossing the sou r ce port in a complet ely unobtrusive manner. • The destination port is set by specifying a[...]
-
Page 328
Command Line Interfa ce 4-138 4 Example The following s hows mirroring configur ed from port 6 to port 1 1: Rate Limit Commands This function allows th e network manager to cont rol the maximum rate for traf fic transmitted or received on an i nterface. Rate limiting is configured on int erfaces at the edge of a network to limi t traff ic into or o[...]
-
Page 329
Link Aggregation Commands 4-139 4 Example Link Aggregation Commands Ports can b e statical ly grouped into an aggregate l ink (i.e., tr unk) to increase the bandwidth of a network connection or to ensure fault rec overy . Or you can use the Link Aggregation Contro l Prot ocol (LACP) to automatic ally negotiate a trunk l ink between this swit ch and[...]
-
Page 330
Command Line Interfa ce 4-140 4 • All the ports in a trunk have to be treated as a whole when mov ed from/to, added or deleted from a VLAN via t he specified port-channel . • STP, VLAN, and IGMP set tings can only be ma de for the entire tru nk via the specified port-chann el. Dynamically Creati ng a Port Channel – Ports assigned t o a common[...]
-
Page 331
Link Aggregation Commands 4-141 4 lacp This command enables 802.3ad Link Aggrega tion Control Prot ocol (LACP) for the current inte rface. Use the no form to disable it. Syntax [ no ] lacp Default Setting Disabled Command Mode Interface Conf iguration (Ethern et) Command Usage • The ports on both ends of an LACP trunk must be conf igured for full[...]
-
Page 332
Command Line Interfa ce 4-142 4 lacp system-priority This command configures a port's LACP system priority . Use the no form to resto re the default sett ing. Syntax lacp { actor | pa r t n e r } system-priority priority no lacp { actor | pa r t n e r } system-priority • actor - The local side an aggregat e link. • partner - The remote sid[...]
-
Page 333
Link Aggregation Commands 4-143 4 lacp admin-key (Ethernet Interface) This command confi gures a port's LACP ad ministration key . Use the no form to restore the default sett ing. Syntax lacp { actor | pa r t n e r } admin-key key [ no ] lacp { actor | pa r t n e r } admin-key • actor - The local side an aggregat e link. • partner - The re[...]
-
Page 334
Command Line Interfa ce 4-144 4 lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string . Use the no form to restore the default setti ng. Syntax lacp admin-key key [ no ] lacp admin-key key - The port channel admin key is u sed to identify a specific link aggregation group (LAG) during local LACP [...]
-
Page 335
Link Aggregation Commands 4-145 4 Command Mode Interface Conf iguration (Ethern et) Command Usage • Setting a lower value indi cates a higher effective priori ty. • If an acti ve port link g oes down, the b ackup port with the highest pri ority is selected to replace the downed link. However, if two or more ports have the same LACP port priorit[...]
-
Page 336
Command Line Interfa ce 4-146 4 Example Console#show lacp 1 counters Channel group : 1 --------------------------------------- ---------------------------------- Eth 1/ 1 --------------------------------------- ---------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LAC[...]
-
Page 337
Link Aggregation Commands 4-147 4 Console#show lacp 1 internal Channel group : 1 --------------------------------------- ---------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 --------------------------------------- ---------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Ad[...]
-
Page 338
Command Line Interfa ce 4-148 4 Console#show lacp 1 neighbors Channel group 1 neighbors --------------------------------------- ---------------------------------- Eth 1/1 --------------------------------------- ---------------------------------- Partner Admin System ID : 32768, 00-0 0-00-00-00-00 Partner Oper System ID : 32768, 00-00 -00-00-00-01 P[...]
-
Page 339
Address T able Commands 4-149 4 Address Table Commands These commands are used to configure the addres s table for filtering specified addresses, displayi ng current entries, clearin g the table, or sett ing the aging time. Console#show lacp sysid Channel group System Priority Sys tem MAC Address --------------------------------------- ------------[...]
-
Page 340
Command Line Interfa ce 4-150 4 mac-address-table static This command maps a static address to a desti nation port in a VLAN. Us e the no form to remove an address. Syntax mac-address-t able static mac-address interface interface vlan vlan-id [ ac tion ] no mac-address-t able static mac-addre ss vlan vlan-id • mac-address - MAC address. • inter[...]
-
Page 341
Address T able Commands 4-151 4 clear mac-address-table dynamic This command removes any learned entrie s from the forwarding dat abase and clears the transmit and receive count s for any static or system configured entries . Default Setting None Command Mode Privileged Exec Example show mac-address-table This command shows classes of entries in th[...]
-
Page 342
Command Line Interfa ce 4-152 4 00-00-00-00-00-00 mean s an exact matc h, and a mask of FF-FF-FF-FF-FF -FF means “any.” • The maximum number of address entries is 8191. Example mac-address-table aging-time This command sets th e aging time for entrie s in the address tabl e. Use the no form to restore the default agi ng time. Syntax mac-addre[...]
-
Page 343
Spanning Tree Commands 4-153 4 Spanning Tree Commands This section includes co mmands that configure the S panning T ree Algorithm (ST A) globally for the switch, and commands that configure ST A for the selected interface. Table 4-51. Spanning Tree Commands Command Functio n Mode Page spanning-tree Enables the spanning tree protocol GC 4-154 spann[...]
-
Page 344
Command Line Interfa ce 4-154 4 spanning-tree This command enables the S panning T ree Algorithm globally for the switch. Use t he no form to disable it. Syntax [ no ] sp anning-tree Default Setting S panning tree is enabl ed. Command Mode Global Configurat ion Command Usage The S panning T ree Algorithm (ST A) can be used to detect and disable net[...]
-
Page 345
Spanning Tree Commands 4-155 4 Command Usage • Spanning Tree Protoco l Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance f or the entire network. If multi ple VLANs are implemented on a netwo rk, the path between spec ific VLAN members may be inadvertently disabled to prevent network [...]
-
Page 346
Command Line Interfa ce 4-156 4 Default Setting 15 seconds Command Mode Global Configurat ion Command Usage This command sets the maxi mum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwardi ng). This delay is required because every device must receive information about to pology changes befo[...]
-
Page 347
Spanning Tree Commands 4-157 4 spanning-tree max-age This command configures the sp anning tree bridge maximum age glob ally for this switch. Use the no form to restore the defaul t. Syntax sp anning-tree max-age second s no spanning-tree max-age seconds - T ime in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-t[...]
-
Page 348
Command Line Interfa ce 4-158 4 Command Mode Global Configurat ion Command Usage Bridge priority is used in sel ecting the root de vice, root port, and designa ted port. The device with the highest priority be comes the ST A root device. However , if all devices have th e same priority , the device with the lowes t MAC address will then become the [...]
-
Page 349
Spanning Tree Commands 4-159 4 spanning-tree transmission-limit This command configures the min imum interval between the tra nsmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the def ault. Syntax sp anning-tree tr ansmission-li mit count no spanning-tree transmission -limit count - The transmission limit in seconds. (Range: 1-10[...]
-
Page 350
Command Line Interfa ce 4-160 4 mst vlan This command adds VLANs t o a spanning tree insta nce. Use the no form to remove the specified VLANs. Usin g the no form with out any VLAN p a rameters to remove all VLANs. Syntax [ no ] mst instance_ id vlan vlan-range • instance_id - Instance ident ifier of the s panning tree. (Rang e: 0-4094) • vlan-r[...]
-
Page 351
Spanning Tree Commands 4-161 4 mst priority This command configures the prio rity of a spanning tree instance. Use the no fo rm to restore the de fault. Syntax mst inst ance_id priority priority no mst instance_id prior ity • instance_id - Instance ident ifier of the s panning tree. (Rang e: 0-4094) • priority - Priority of the a spanning tree [...]
-
Page 352
Command Line Interfa ce 4-162 4 Command Usage The MST region name and revis ion number (page 4-162) are used to designate a un ique MST region. A bri dge (i.e., sp anning-tree compliant device such as this switch) can onl y belong to one MST regio n. And all bridges in the same region must be conf igured with the same MST inst ances. Example Relate[...]
-
Page 353
Spanning Tree Commands 4-163 4 max-hops This command configures the maxi mum number of hops i n the region before a BPDU is discarded. Use the no form to rest ore the d efault. Syntax max-hop s hop-number hop-number - Maximum hop nu mber for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage A MSTI[...]
-
Page 354
Command Line Interfa ce 4-164 4 spanning-tree cost This command configures the sp anning tree pa th cost for the specified interf ace. Use the no form to restore the default. Syntax sp anning-tree cost cost no sp anning-tree cost cost - The path cost for the port. (Range: 1-200,000,000)) The recommended range is: • Ethernet: 200,0 00-20,000,000 ?[...]
-
Page 355
Spanning Tree Commands 4-165 4 Default Setting 128 Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Command Usage • This command defines th e priority for the use of a port in the Spanni ng Tree Algorithm. If the path cost for all ports on a switch are th e same, the port with the highest prio rity (that is, lowest value) wil l be[...]
-
Page 356
Command Line Interfa ce 4-166 4 Example Related Commands spanning-t ree portfast (4-16 6) spanning-tree portfast This command sets an in terface to fast forwarding. Use th e no form to disable fast forwarding. Syntax [ no ] sp anning-tree portfast Default Setting Disabled Command Mode Interface Co nfiguration (Et hernet, Po rt Channel) Command Usag[...]
-
Page 357
Spanning Tree Commands 4-167 4 spanning-tree link-type This command configures the li nk type for Rapid S panning T ree and Multiple S panning T ree. Use the no form to restore the default. Syntax sp anning-tree link-type { auto | point -to-point | shared } no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. ?[...]
-
Page 358
Command Line Interfa ce 4-168 4 Default Setting • Ethernet – ha lf duplex: 2 ,000,000; full duplex: 1, 000,000; trunk: 500,000 • Fast Ethernet – half duplex: 2 00,000; full duplex: 1 00,000; trunk: 50,000 • Gigabit Ethern et – full duplex: 10,000; trunk: 5,000 Command Mode Interface Co nfiguration (Et hernet, Po rt Channel) Command Usag[...]
-
Page 359
Spanning Tree Commands 4-169 4 interface with the highest priority (t hat is, lowest value) wi ll be configured as an active link in the spanning tre e. • Where more than one interface is assigned the highest prio rity, the interface with lowest numeric i dentifier will be enabled. Example Related Commands spanning-t ree mst cost (4-167) spanning[...]
-
Page 360
Command Line Interfa ce 4-170 4 show spanning-tree This command shows the configuration for th e common spanning tree (CST) or for an instanc e within the multiple sp anning tree (MST). Syntax show sp anning-tree [ interface | mst instance_ id ] • interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nn[...]
-
Page 361
Spanning Tree Commands 4-171 4 Example Console#show spanning-tree Spanning-tree information --------------------------------------- ------------------------ Spanning tree mode :MSTP Spanning tree enable/disable :enab le Instance :0 Vlans configuration :1-40 94 Priority :3276 8 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Del[...]
-
Page 362
Command Line Interfa ce 4-172 4 show spanning-tree mst c onfiguration This command shows the configurat ion of the multiple sp anning tree. Syntax show sp anning-tree mst configurat ion Command Mode Privileged Exec Example VLAN Commands A VLAN is a group of port s that can b e located anywhere in the network, but communicate as though t hey belong [...]
-
Page 363
VLAN Commands 4-173 4 Editing VLAN Groups vlan database This command enters VLAN dat abase mode. All commands in this mode will take effec t immediately . Default Setting None Command Mode Global Configurat ion Command Usage • Use the VLAN database command mode to add, change, and del ete VLANs. After finishing config uration changes, you can dis[...]
-
Page 364
Command Line Interfa ce 4-174 4 vlan This command config ures a VLAN. Use the no form to restore the default sett ings or delete a VLAN. Syntax vlan vlan-id [ name vlan-name ] media ethernet [ state { active | suspend }] no vlan vlan-id [ name | state ] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) • name - Keyword to be[...]
-
Page 365
VLAN Commands 4-175 4 Configuring VLAN Interfaces interface vlan This command enters interf ace configuration mode for VLANs, which is used to configur e VLAN parameters for a physical interface. Syntax interface vlan vlan-id vlan-id - ID of the configured VLAN. (R ange: 1-4094, no lead ing zeroes) Default Setting None Command Mode Global Configura[...]
-
Page 366
Command Line Interfa ce 4-176 4 switchport mode This command confi gures the VLAN membershi p mode for a port. Use the no form to restore the de fault. Syntax switchport mode { trunk | hybrid } no switchport mode • trunk - Specifies a port as an end-point for a VLAN trun k. A trunk is a direct link between two swi tches, so the port transmi ts ta[...]
-
Page 367
VLAN Commands 4-177 4 Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Command Usage When set to receive all frame types, any received fra mes that are unta gged are assigned to the def ault VLAN. Example The following example shows how to rest rict the traff ic received on port 1 to tag ged frames: Related Commands switchport mode [...]
-
Page 368
Command Line Interfa ce 4-178 4 Example The following example shows how to set the interface to port 1 and then ena ble ingress filtering : switchport native vlan This command configures the PVID (i.e., def ault VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Def[...]
-
Page 369
VLAN Commands 4-179 4 switchport allowed vlan This command confi gures VLAN groups o n the selected interface. Use t he no form to restore the de fault. Syntax switchport allowed vlan { add vlan-list [ ta g g ed | untagged ] | remove vlan-list } no switch port allo wed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list -[...]
-
Page 370
Command Line Interfa ce 4-180 4 switchport forbidden vlan This command confi gures forbidden VLANs. Use the no form to remove the lis t of forbidden VLANs. Syntax switchport forbidden vlan { ad d vlan-list | remove vlan-list } no switchport forbidden vl an • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN iden[...]
-
Page 371
VLAN Commands 4-181 4 Displaying VLAN Information show vlan This command shows VLAN information. Syntax show vlan [ id vlan-id | name vlan-name ] • id - Keyword to be followed by the VLAN ID. - vlan-id - ID of the configured VL AN. (Range: 1-4094, no leading zeroes ) • name - Keyword to be followed by the VLAN nam e. - vlan-name - ASCII string [...]
-
Page 372
Command Line Interfa ce 4-182 4 Configuring Private VLANs Private VLANs provide port-based securi ty and isolation between port s within the assigned VLAN. Thi s section descri bes commands used to configure private VlANs. pvlan This command enables or configures a pri vate VLAN. Use the no form to disable the private VLAN. Syntax pvlan [ up-link i[...]
-
Page 373
VLAN Commands 4-183 4 show pvlan This command displays the config ured private VLAN. Command Mode Privileged Exec Example Configuring Protocol-based VLANs The network devices required to support mu lti ple protocols canno t be easily gr ouped into a common VLAN. This may require non -standard dev ices to pass traffic between dif ferent VLANs in ord[...]
-
Page 374
Command Line Interfa ce 4-184 4 protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, o r to add specifi c protocols to a group. Use the no form to remove a proto col group. Syntax protocol -vlan prot ocol-gro up group-i d [{ add | remove } frame_type frame protocol -type protocol ] no protocol-vlan protocol-group[...]
-
Page 375
VLAN Commands 4-185 4 Command Usage • When creating a protocol-based VLAN, only as sign interfaces via this command. If you assign in terfaces using any of the other VLAN commands (such as vlan on page 4-174), these interfaces wil l admit traffic of any protocol type into the associ ated VLAN. • When a frame enters a port tha t has been assigne[...]
-
Page 376
Command Line Interfa ce 4-186 4 show interfaces protoc ol-vlan protocol-grou p This command shows the mapping fr om protocol gro ups to VLANs for the selected interface s. Syntax show interfaces protoc ol-vlan protocol-group [ interface ] interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nnel channel-[...]
-
Page 377
GVRP and Bridge Extension Commands 4-187 4 GVRP and Bridge Extension Commands GARP VLAN Registration Protoco l defines a way for switches to exchange VLAN information in order to automa tically register VLAN members on interfaces acros s the network. This section describ es how to enable GVRP for individual in terfaces and globally for the switch, [...]
-
Page 378
Command Line Interfa ce 4-188 4 show bridge-ext This command shows the configuratio n for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Informat ion” on page 3-1 13 and “Displaying Bridge Extension Cap abilities” on page 3-12 for a description of the d isplayed items. E[...]
-
Page 379
GVRP and Bridge Extension Commands 4-189 4 show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp conf iguration [ interfa ce ] interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nnel channel-id (Range : 1-6) Default Setting Shows both global and interfac e-specific configura t[...]
-
Page 380
Command Line Interfa ce 4-190 4 Command Usage • Group Address Registration Protocol is used b y GVRP and GMRP t o register or deregister client attri butes for client services wit hin a bridged LAN. The default values fo r the GARP timers are independen t of the media access method or da ta rate. These value s should not b e changed unless you ar[...]
-
Page 381
Priority Commands 4-191 4 Related Commands garp timer (4-189) Priority Commands The commands described in this secti on allow you to specify which dat a packets have greater precedence when traf fic is bu ffered in the switch due to congestion. This switch support s CoS with eig ht priority queues for eac h port. Dat a packet s in a port’s hi gh-[...]
-
Page 382
Command Line Interfa ce 4-192 4 queue mode This command sets th e queue mode to strict priori ty or Weight ed Round-Robin (WRR) for the class of service (CoS) priorit y queues. Use the no form to re store the default value. Syntax queue mode { stric t | wrr } no queue mode • strict - Services the egre ss queues in sequential order, transmitti ng [...]
-
Page 383
Priority Commands 4-193 4 switchport priori ty default This command sets a priori ty for incoming unt agged frames. Use the no form to restore the default value . Syntax switchport priority default default-priority-id no switchport pri ority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number fro[...]
-
Page 384
Command Line Interfa ce 4-194 4 queue bandwidth This command assign s weighted round-robi n (WRR) weights to the eight c lass of service (CoS) priority queu es. Use the no form to rest ore the defaul t weights . Syntax queue bandwid th weight1...weight 4 no queue bandwi d th weight1...weight4 - The ratio of weights for queues 0 - 3 determines the w[...]
-
Page 385
Priority Commands 4-195 4 Default Setting This switch support s Class of Service by using eight prio rity queues, with Weight ed Round Robin queuing for each po rt. Eight sep arate traffi c classes are defined in IEEE 802.1p. The default priority levels are assigne d according to recommendations in the IEEE 802.1p standard as shown below . Command [...]
-
Page 386
Command Line Interfa ce 4-196 4 Example show queue bandwidth This command displays the we ighted round-robin (WRR) bandwi dth allocati on for the eight priority qu eues. Default Setting None Command Mode Privileged Exec Example show queue cos-map This command shows the class of se rvice priority map. Syntax show queue cos-map [ interfac e ] interfa[...]
-
Page 387
Priority Commands 4-197 4 Example Priority Commands (Layer 3 and 4) map ip port (Global Configuration) This command enables IP port mapping (i .e., class of service mapping f or TCP/UDP sockets). Use th e no form to disable IP port mapping. Syntax [ no ] map ip po rt Default Setting Disabled Command Mode Global Configurat ion Command Usage The prec[...]
-
Page 388
Command Line Interfa ce 4-198 4 Example The following example shows how to en able TCP/UDP port mapping globally: map ip port (Interface Configuration) This command enables IP port mapping (i.e., TCP/UDP port priority). Use the no form to remo ve a specific se tting. Syntax map ip port port number cos cos-value no map ip port port-number • port-n[...]
-
Page 389
Priority Commands 4-199 4 Command Usage • The precedence for priority mappin g is IP Port, IP Precedence or IP DSCP, and default switchp ort priority. • IP Precedence and IP DSCP cannot both be en abled. Enabling one o f these priority types will aut omatically disable th e other type. Example The following example shows how to en able IP prece[...]
-
Page 390
Command Line Interfa ce 4-200 4 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Dif ferentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [ no ] map ip dscp Default Setting Disabled Command Mode Global Configurat ion Command Usage • The precedence for priority mappin g is IP Po[...]
-
Page 391
Priority Commands 4-201 4 Default Setting The DSCP default values are defi ned in the following t able. Note that all the DSCP values that are not specif ied are mapped to CoS value 0. Command Mode Interface Co nfiguration (Et hernet, Port Ch annel) Command Usage • The precedence for priority mappin g is IP Port, IP Precedence or IP DSCP, and def[...]
-
Page 392
Command Line Interfa ce 4-202 4 Default Setting None Command Mode Privileged Exec Example The following shows that HTTP tra ff ic has been mapped to CoS value 0: Related Commands map ip port (Global Configu ration) (4-197) map ip port (Interface Config uration) (4-198) show map ip precedence This command shows the IP precedence priorit y map. Synta[...]
-
Page 393
Priority Commands 4-203 4 Example Related Commands map ip port (Global Configu ration) (4-197) map ip precedence (Interface Conf iguration) (4-199 ) show map ip dscp This command shows the IP DSCP priori ty map. Syntax show map ip dscp [ interface ] interface • ethernet unit / port - unit - This is device 1 . - port - Port number. • port-cha nn[...]
-
Page 394
Command Line Interfa ce 4-204 4 Example Related Commands map ip dscp (Global Conf iguration) (4-200) map ip dscp (Interface Config uration) (4-200) Multicast Filtering Commands This switch uses IGMP (I nternet Grou p Manage ment Protocol) to query for any attache d hosts that want to receive a specifi c multicast service. I t identifies the ports c[...]
-
Page 395
Multicast Filter ing Commands 4-205 4 ip igmp snoopi ng This command enables IGMP sno oping on this swit ch. Use the no form to disable it. Syntax [ no ] ip igmp snooping Default Setting Enabled Command Mode Global Configurat ion Example The following example enab les IGMP snooping. ip igmp snoopi ng vlan static This command adds a port to a multic[...]
-
Page 396
Command Line Interfa ce 4-206 4 ip igmp snoo ping ver sion This command confi gures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snoopi ng version { 1 | 2 } no ip igmp snoo ping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 Default Setting IGMP V ersion 2 Command Mode Global Configurat ion Command Usage [...]
-
Page 397
Multicast Filter ing Commands 4-207 4 Example The following s hows the current IGMP snooping conf iguration: show mac-address -table multicast This command shows kn own multicast addresse s. Syntax show mac-addre ss-t able multicast [ vlan vlan-id ] [ user | igmp-snooping ] • vlan-id - VLAN ID ( 1 to 4094) • user - Displa y only the use r-confi[...]
-
Page 398
Command Line Interfa ce 4-208 4 IGMP Query Commands (Layer 2) ip igmp snoopi ng querier This command enables the switch as an I GMP querier . Use the no form to disable it. Syntax [ no ] ip igmp snooping querier Default Setting Enabled Command Mode Global Configurat ion Command Usage If enabled, the switch will serve as querie r if elected. The que[...]
-
Page 399
Multicast Filter ing Commands 4-209 4 Default Setting 2 times Command Mode Global Configurat ion Command Usage The query count define s how long the querier waits for a response from a multicast cli ent before taki ng action. If a queri er has sent a number of queries defined by t his command, b ut a clie nt has not res ponded, a count down timer i[...]
-
Page 400
Command Line Interfa ce 4-210 4 ip igmp snoopi ng qu ery-max-response-time This command configures the que ry report delay . Use the no form to resto re the default. Syntax ip igmp snoopi ng qu ery-max-response-time seconds no ip igmp snoo ping query-max-response-time seconds - The report delay advertised in IGMP querie s. (Range: 5- 25) Default Se[...]
-
Page 401
Multicast Filter ing Commands 4-211 4 Default Setting 300 seconds Command Mode Global Configurat ion Command Usage The switch must use IGMPv2 for this command to take ef fect. Example The following shows how to confi gure the default timeout t o 300 seconds: Related Commands ip igmp snooping version (4-206) Static Multicast Routing Commands ip igmp[...]
-
Page 402
Command Line Interfa ce 4-212 4 Command Usage Depending on your network connect ions, IGMP snooping may not always be able to locate the IGMP querier . Ther efore, if the IGMP querier i s a known multicast router/swit ch connected over the network to an in terface (port or trunk) on your router , you can manually configure that interf ace to join a[...]
-
Page 403
IP Interface Commands 4-213 4 IP Interface Commands An IP addresses may be used for manage ment access to the switch over your network. The IP address for th is switch is obt ained via DHCP by default. Y ou can manually configure a spe cific IP address, or direct the dev ice to obtain an address from a BOOTP or DHCP server when it is powered on. Y [...]
-
Page 404
Command Line Interfa ce 4-214 4 • If you select the bootp or dh cp option, IP i s enabled but wi ll not func tion until a BOOTP or DHCP reply has been rece ived. Requests will be br oadcast periodically b y this device in an effort to learn its IP address. (BOOTP and DHCP values can include t he IP address, defaul t gateway, and su bnet mask). ?[...]
-
Page 405
IP Interface Commands 4-215 4 Related Commands ip address (4-213) ip default-gateway This command establ ishes a stat ic route between this switch an d management statio ns that exist on another network se gment. Use the no form to re move the stat ic route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default[...]
-
Page 406
Command Line Interfa ce 4-216 4 Related Commands show ip redirect s (4-216) show ip redirects This command shows the default gateway configure d for this device. Default Setting None Command Mode Privileged Exec Example Related Commands ip default-g ateway (4-2 15) ping This command sends ICMP echo reques t packet s to another node on th e network.[...]
-
Page 407
IP Interface Commands 4-217 4 - Network or host un reachable - The gate way found no corresp onding entry in the route table. • Press <Esc> to stop pinging. Example Related Commands interface (4-125) Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms respon[...]
-
Page 408
Command Line Interfa ce 4-218 4[...]
-
Page 409
A-1 Appendix A: Software Specifications Software Features Authentication Local, RADIUS, T ACACS, Port (802. 1x), HTTPS, SSH, Port Security Access Control List s IP , MAC (up to 32 lists) DHCP Client DNS Server Port Configuration 1000BASE-T : 10/100 Mbps at half/full d uplex, 1000 Mbp s at full duplex 1000BASE-SX/LX/LH: 1000 Mbp s, full duplex Flow [...]
-
Page 410
Software Specifications A-2 A Additional Featu r es BOOTP client SNTP (Simple Network T ime Protocol) SNMP (Simple Network Ma nagement Protocol) RMON (Remote Monitoring, group s 1, 2, 3, 9) SMTP Email Alerts Management Features In-Band Management T elnet, Web-based HTTP or HTTPS, SNMP manager , or Secure Shell Out-of-Band Manageme nt RS-232 DB-9 co[...]
-
Page 411
Management Inform ation Bases A-3 A RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1 157) SNMPv2 (RFC 1907) SNTP (RFC 2030) SSH (V ersion 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674 ) Extensible SNMP Age nts MIB (RFC 2 742) Forwarding T able MIB (RFC[...]
-
Page 412
Software Specifications A-4 A[...]
-
Page 413
B-1 Appendix B: Troubleshooting Problems Accessing the Management Int erface T able B-1 T roubleshooting Chart Symptom Action Cannot connect us ing T elnet, web browser , or SNMP software • Be sure the switch is powered up. • Check network cabling between the manag ement station and t he switch. • Check that you have a valid network connectio[...]
-
Page 414
Troubleshooting B-2 B Using System Logs If a fault does occur , refer to the Installati on Guide to ensure that the probl em you encountered is actual ly caused by the switch. If the problem app ears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to incl ude all categories. 3. Designate the SNM[...]
-
Page 415
Glossary-1 Glossary Access Control List (ACL) ACLs can limit netwo rk traffic and restri ct access to certai n users or devices by checking each p acket for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide boot up information fo r network devices, inclu ding IP address informati on, the address of the TF[...]
-
Page 416
Glossary Glossary-2 GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VL AN information in order to register necessary VLAN members on p orts along the S panning T ree so that VL ANs defined in each switch can work automati cally over a S panning T ree network. Generic Attribute Regi stration Protocol (GARP) GARP is a pr[...]
-
Page 417
Glossary-3 Glossary IEEE 802.3x Defines Ethernet frame st art/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Re port packe ts transferred betwee n IP Multicast Routers and IP Multicast host group s to identify IP Multicast group members. IGMP Query On each subnetwork, on e IGMP-ca[...]
-
Page 418
Glossary Glossary-4 Management Information Base (MIB) An acronym for Management Information Base. It is a set of databa se objects that contain s information a bout a specific device. Multicast Switching A process whereby the switch filters incoming multicast fra mes for services for which no attache d host has registered, or forwards them t o all [...]
-
Page 419
Glossary-5 Glossary Rapid Spanning Tr ee Protocol (RSTP) RSTP reduces the convergence time for network to pology changes to a bout 10% of that require d by the older IEEE 802.1D STP st andard. Secure Shell (SSH) A secure replacement for remote access functions, includi ng T elnet. SSH can authenticate use rs with a cryptographic key , and encrypt d[...]
-
Page 420
Glossary Glossary-6 User Datagram Protocol (UDP) UDP provides a dat agram mode for packet-swi tched communications. It uses IP as the underlying transpo rt mechanism to provide acce ss to IP-like services. UDP packet s are delivered just like IP packet s – connection-less dat agrams that may be discarded before reachi ng their target s. UDP is us[...]
-
Page 421
Index-1 Symbols 3-31 Numerics 802.1x, port authentication 3-43, 4-78 A acceptable frame type 3-119, 4-174 Access Control List See ACL ACL Extended IP 3-53, 4-86, 4-87, 4-90 MAC 3-53, 4-86, 4-10 1, 4-101–4-103 Standard IP 3-53, 4-86, 4-87, 4-89 address table 3-88, 4-147 aging time 3-91, 4-150 B BOOTP 3-15, 4-211 BPDU 3-92 broadcast storm, t hresho[...]
-
Page 422
Index-2 Index H hardware version, displaying 3-10, 4-61 HTTPS 3-34, 4-31 HTTPS, secure server 3-34, 4-31 I IEEE 802.1D 3-91, 4-152 IEEE 802.1s 4-152 IEEE 802.1w 3-91, 4-152 IEEE 802.1x 3-43, 4-78 IGMP groups, display ing 3-144, 4-205 Layer 2 3-139, 4-202 query 3-139, 4-206 query, Layer 2 3-140, 4-206 snooping 3-139, 4-203 snooping, config uring 3-1[...]
-
Page 423
Index-3 Index Q queue weights 3-129, 4-192 R RADIUS, logon a uthentication 3-31, 4-71 rate limits, setting 3-8 3, 4-136 restarting the system 3-25, 4-22 RSTP 3-91, 4-152 global configuratio n 3-92, 4-152 S Secure Shell 3-36, 4-34 configurati on 3-36, 4-37 Secure Shell configuration 4-37 serial port configur ing 4-11 Simple Network Ma nagement Proto[...]
-
Page 424
Index-4 Index W Web interface access requirements 3-1 configuration but tons 3-3 home page 3-2 menu list 3-3, 3-4 panel display 3-3[...]
-
Page 425
[...]
-
Page 426
ES4512C ES4524C ES4548C E052005-R02[...]