Part No. 060191-10, Rev.
An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support. You’ll also receive regular software updates to maintain and maximize your Alcatel product’s features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners.
Warning This equipment has been tested and found to comply with the limits for Class A digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions in this guide, may cause interference to radio communications.
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-5 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings Trap Receivers Saving Configuration Settings Managing System Files 2-1 2-1 2-1 2-2 2-3 2-3 2-3 2-4 2-4 2-4
Contents Telnet Settings Configuring Event Logging System Logs System Logs Configuration Remote Logs Configuration Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Enabling SNMP Setting Community Access Strings Specifying Trap Managers and Trap Types Configuring SNMPv3 Management Access Setting an Engine ID Configuring SNMPv3 Users Configuring SNMPv3 Groups Setting SNMPv3 Views User Authentica
Contents Port Configuration Displaying Connection Status Configuring Interface Connections Creating Trunk Groups Statically Configuring a Trunk Enabling LACP on Selected Ports Configuring LACP Parameters Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Showing Port Statistics Alcatel Mapping Adjacency Protocol (AMAP) Configuring AMA
Contents Mapping Protocols to VLANs Class of Service Configuration Setting the Default Priority for Interfaces Mapping CoS Values to Egress Queues Selecting the Queue Mode Setting the Service Weight for Traffic Classes Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority Mapping IP Precedence Mapping DSCP Priority Mapping IP Port Priority Mapping CoS Values to ACLs Changing Priorities Based on ACL Rules Quality of Service Configuring Quality of Service Parameters Configuring a Cl
Contents Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups Line Commands line login password timeout login response exec-timeout password-thresh silent-time databits parity speed stopbits disconnect show line General Commands enable disable configure show history reload end exit quit System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server
Contents ip ssh timeout ip ssh authentication-retries ip ssh server-key size delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show ssh show public-key Event Logging Commands logging on logging history logging host logging facility logging trap clear logging show logging SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sn
Contents whichboot boot system Authentication Commands Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-server Port Security Commands port security 802.
Contents match access-list ip show marking MAC ACLs access-list mac permit, deny (MAC ACL) show mac access-list access-list mac mask-precedence mask (MAC ACL) show access-list mac mask-precedence mac access-group show mac access-group map access-list mac show map access-list mac match access-list mac ACL Information show access-list show access-group SNMP Commands snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps show snmp snmp-server snmp-server engine
Contents show dns show dns cache clear dns cache Interface Commands interface description speed-duplex negotiation capabilities flowcontrol combo-forced-mode shutdown switchport broadcast packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport Mirror Port Commands port monitor show port monitor AMAP Configuration amap enable amap run amap discovery timer amap common timer show amap Rate Limit Commands rate-limit Link Aggregation Commands channel-group lacp lacp
Contents spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit spanning-tree mst-configuration mst vlan mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show span
Contents GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Priority Commands Priority Commands (Layer 2) switchport priority default queue mode queue bandwidth queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip port (Global Configuration) map ip port (Interface Configuration) map ip precedence (Global Configuration) map ip precedence (Interface Configuration) map ip
Contents IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IP Interface Commands Basic IP Configuration ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping 4-222 4-222 4-222 4-223 4-224 4-224 4-225 4-225 4-226 4-227 4-227 4-227 4-228
Tables Table 1-1. Table 1-2. Table 3-4. Table 3-2. Table 3-1. Table 3-22. Table 3-30. Table 3-45. Table 3-47. Table 3-49. Table 3-54. Table 3-85. Table 3-86. Table 3-91. Table 3-93. Table 3-95. Table 4-1. Table 4-2. Table 4-3. Table 4-4. Table 4-5. Table 4-6. Table 4-7. Table 4-8. Table 4-9. Table 4-10. Table 4-11. Table 4-12. Table 4-13. Table 4-14. Table 4-15. Table 4-16. Table 4-17. Table 4-19. Table 4-20. Table 4-18. Table 4-21. Table 4-22. Table 4-23. Table 4-24. Table 4-25. Table 4-26.
Tables Table 4-27. Table 4-28. Table 4-29. Table 4-30. Table 4-31. Table 4-32. Table 4-33. Table 4-34. Table 4-35. Table 4-36. Table 4-37. Table 4-38. Table 4-1. Table 4-2. Table 4-3. Table 4-4. Table 4-39. Table 4-40. Table 4-41. Table 4-42. Table 4-43. Table 4-44. Table 4-45. Table 4-46. Table 4-47. Table 4-48. Table 4-49. Table 4-50. Table 4-51. Table 4-52. Table 4-53. Table 4-54. Table 4-55. Table 4-56. Table 4-57. Table 4-58. Table 4-59. Table 4-60. Table 4-61. Table 4-62. Table 4-63. Table 4-64.
Table 4-67. Table 4-68. Table 4-69. Table 4-70. Table 4-71. Table 4-72. Table B-1.
Tables xx
Figures Figure 3-1. Figure 3-3. Figure 3-5. Figure 3-6. Figure 3-7. Figure 3-8. Figure 3-9. Figure 3-10. Figure 3-11. Figure 3-12. Figure 3-13. Figure 3-14. Figure 3-1. Figure 3-2. Figure 3-3. Figure 3-4. Figure 3-5. Figure 3-6. Figure 3-15. Figure 3-16. Figure 3-17. Figure 3-7. Figure 3-18. Figure 3-19. Figure 3-8. Figure 3-9. Figure 3-10. Figure 3-11. Figure 3-20. Figure 3-21. Figure 3-23. Figure 3-24. Figure 3-25. Figure 3-26. Figure 3-27. Figure 3-28. Figure 3-29. Figure 3-31. Figure 3-32. Figure 3-33.
Figures Figure 3-36. Figure 3-37. Figure 3-38. Figure 3-39. Figure 3-12. Figure 3-40. Figure 3-41. Figure 3-42. Figure 3-43. Figure 3-44. Figure 3-46. Figure 3-48. Figure 3-50. Figure 3-51. Figure 3-52. Figure 3-53. Figure 3-55. Figure 3-56. Figure 3-57. Figure 3-58. Figure 3-59. Figure 3-60. Figure 3-61. Figure 3-62. Figure 3-63. Figure 3-64. Figure 3-65. Figure 3-66. Figure 3-67. Figure 3-68. Figure 3-69. Figure 3-70. Figure 3-71. Figure 3-72. Figure 3-73. Figure 3-74. Figure 3-75. Figure 3-76.
Figures Figure 3-84. Port Priority Configuration Figure 3-87. Traffic Classes Figure 3-88. Selecting the Queue Mode Figure 3-89. Queue Scheduling Figure 3-90. IP Precedence/DSCP Priority Status Figure 3-92. Assigning CoS Values to IP Precedence Figure 3-94. Mapping IP DSCP Priority Figure 3-13. Globally Enabling the IP Port Priority Status Figure 3-14. Mapping Switch Ports and Trunks to IP TCP/UDP Priority Figure 3-96. ACL CoS Priority Figure 3-97. ACL Marker Figure 3-98. Configuring Class Maps Figure 3-99.
Figures xxiv
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. Key Features Table 1-1.
1 Introduction Table 1-1. Key Features Feature Description AMAP Configures Alcatel Mapping Adjacency Protocol (AMAP) parameters and displays information on attached AMAP-aware devices Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network.
Description of Software Features 1 Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port.
1 Introduction older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
System Defaults 1 Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration. AMAP – The AMAP protocol enables a switch to discover the topology of other AMAP-aware devices in the network.
1 Introduction Table 1-2.
System Defaults 1 Table 1-2. System Defaults Function Parameter Default Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames GVRP (global) Disabled GVRP (port interface) Disabled Ingress Port Priority 0 Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Priority: 2 0 1 3 4 5 6 7 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Address 0.0.0.0 Subnet Mask 255.0.0.
1 1-8 Introduction
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is unassigned by default. To change this address, see “Setting an IP Address” on page 2-4.
2 Initial Configuration • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is unassigned by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet or SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart client Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.
Basic Configuration 2 To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) 2. To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press .
2 2. Initial Configuration Enter the name of the start-up file. Press . Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Console# Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
3 Navigating the Web Browser Interface Table 3-2. Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing “Apply” or “Apply Changes.” Refresh Immediately updates values for the current page. Apply Sets specified values to the system. Apply Changes Sets specified values to the system. Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.
3 Configuring the Switch Table 3-4.
Navigating the Web Browser Interface 3 Table 3-4. Main Menu Menu Description Page Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 3-52 802.
3 Configuring the Switch Table 3-4.
Navigating the Web Browser Interface 3 Table 3-4.
3 Configuring the Switch Table 3-4.
Basic Configuration 3 Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-5. System Information CLI – Specify the hostname, location and contact information.
3 Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. • Number of Ports – Number of built-in RJ-45 ports and expansion ports. • Hardware Version – Hardware version of the main board.
Basic Configuration 3 CLI – Use the following command to display version information. Console#show version Unit1 Serial number Hardware version Number of ports Main power status Redundant power status Agent(Primary) Unit id Loader version Boot rom version Operation code version Console# 4-60 :A329025054 :R01 :24 :up :not present :1 :2.0.2.2 :2.0.2.2 :10.31.23.
3 Configuring the Switch Web – Click System, Bridge Extension. Figure 3-7. Bridge Exentsion Configuration CLI – Enter the following command.
3 Basic Configuration • IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.
3 Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Basic Configuration CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart client Console# 4-121 Enabling Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9000 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
3 Configuring the Switch • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Source/Destination Unit – Specifies the switch stack unit number. • File Type – Allows you to specify either an operational code file (opcode), or a configuration file (config).
Basic Configuration 3 CLI – Enter the IP address of the TFTP server, select “config” or “opcode” file type, then enter the source and destination file names, set the new file to start up the system, and then restart the switch. Console#copy tftp file TFTP server ip address: 10.1.0.19 Choose file type: 1. config: 2. opcode: <1-2>: 2 Source file name: M100000.bix Destination file name: V1.0 \Write to FLASH Programming. -Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1.
3 Configuring the Switch If you download to a new file name, then select the new file from the drop-down box for Startup Configuration File, and press Apply Changes. To use the new settings, reboot the system via the System/Reset menu. Figure 3-14. Setting the Start-up Configuration File CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.
Basic Configuration 3 • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.
3 Configuring the Switch Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. Figure 3-1. Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Basic Configuration 3 Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the Web or CLI interface. Command Attributes • Telnet Status – Enables or disables Telnet access to the switch.
3 Configuring the Switch Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-2. Telnet Settings CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Configuring Event Logging 3 Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Logs The system can be configured to send debug and error messages to a logging process. This logging process controls the type of error messages that are stored in switch memory or sent to a remote syslog server.
3 Configuring the Switch Web – Click System, Log, Logs. Figure 3-3. Logging Information CLI – Type "show logging ram" to display log messages in the RAM buffer. Console#show logging ram Syslog logging: Enable History logging in RAM: level debugging [3] 0:0:58 1/1/1 "VLAN 1 link-up notification." level: 6, module: 6, function: 1, and event [2] 0:0:58 1/1/1 "STP topology change notification." level: 6, module: 6, function: 1, and event [1] 0:0:28 1/1/1 "Unit 1, Port 23 link-up notification.
3 Configuring Event Logging • RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Default: 6) Web – Click System, Log, System Logs. Specify the System Log Status, modify the level of messages to be logged to RAM and flash memory, and then click Apply. Figure 3-4.
3 Configuring the Switch • Host IP List – Displays the list of remote server IP addresses that receive the syslog messages. The maximum number of host IP addresses allowed is five. • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.
Configuring Event Logging 3 Sending Simple Mail Transfer Protocol Alerts To alert system administrators of problems, the switch can use SMTP (Simple Mail Transfer Protocol) to send email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients. Command Attributes • Admin Status – Enables/disables the SMTP function.
3 Configuring the Switch Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server text box and then click Add. To delete an IP address, click the entry in the SMTP Server List and then click Remove. Specify up to five email addresses to receive the alert messages, and then click Apply. Figure 3-6.
3 Configuring Event Logging to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.4 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email Matrix-V-Series@this-company.com Console(config)#logging sendmail destination-email chris@this-company.
3 Configuring the Switch This switch acts as an SNTP client in unicast mode: Unicast – The switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence. Configuring SNTP You can configure the switch to send time synchronization requests to specific time servers (i.e., client mode).
Simple Network Management Protocol 3 Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Command Attributes • • • • • Current Time – Displays the current time. Name – Assigns a name to the time zone.
3 Configuring the Switch standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView.
Simple Network Management Protocol 3 Enabling SNMP Enables the SNMP agent on the switch for all versions (1, 2c, and 3). Command Attributes • SNMP Agent Status – Enables SNMP on the switch. Figure 3-7. Enabling the SNMP Agent CLI – The following example enalbes SNMP on the switch. Console(config)#snmp-server Console(config)# 4-114 Setting Community Access Strings You may configure up to five community strings authorized for management access using SNMP v1 and v2c.
3 Configuring the Switch Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-18. SNMP Configuration CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw Console(config)# 4-109 Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers.
Simple Network Management Protocol 3 Web – Click SNMP, Configuration. Enter the IP address and community string for each managment station that will receive trap messages, specify the UDP port and SNMP version, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply. v Figure 3-19. Configuring SNMP Trap Managers CLI – This example adds a trap manager and enables both authentication and link-up, link-down traps.
3 Configuring the Switch A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are specified, trailing zeroes are added to the value. For example, the value “1234” is equivalent to “1234” followed by 22 zeroes.
Simple Network Management Protocol 3 • Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. - AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model). - AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model). • Authentication – The method used for user authentication; MD5 only.
3 Configuring the Switch CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
Simple Network Management Protocol 3 Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete. Figure 3-10.
3 Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
User Authentication 3 CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 3-128 Console(config)#exit Console#show snmp view 3-129 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active View Name: readaccess Subtree OID: 1.3.6.1.
3 Configuring the Switch Command Attributes • User Name* – The name of the user. (Maximum length: 8 characters) • Access Level* – Specifies the user level. (Options: Normal and Privileged) • Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive) * CLI only. Web – Click Security, Passwords. To change the password for the current user, enter the old password, the new password, confirm it by entering it again, then click Apply. Figure 3-20.
User Authentication 3 a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
3 Configuring the Switch • TACACS Settings - Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13) - Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
User Authentication 3 CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server host 192.168.1.25 Console(config)#radius-server port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console#show radius-server Server IP address: 192.168.1.
3 Configuring the Switch • To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 3-46. Command Attributes • HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/ SSL connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-23.
3 User Authentication When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: Console#copy tftp https-certificate TFTP server ip address: Source certificate file name: Source private file name: Private password: 4-62 Note: The switch must be reset for the new certi
3 Configuring the Switch Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.
User Authentication 3 2. The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
3 Configuring the Switch Web – Click Security, SSH Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-24. Secure Shell Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
User Authentication 3 Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Enabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
3 Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-34 Console(config)#ip ssh timeout 100 4-35 Console(config)#ip ssh authentication-retries 5 4-36 Console(config)#ip ssh server-key size 512 4-36 Console(config)#end Console#show ip ssh 4-39 SSH Enabled - version 2.
User Authentication 3 Command Attributes • Port – Port number. • Name – Descriptive text (page 4-131). • Action – Indicates the action to be taken when a port security violation is detected: - None: No action should be taken. (This is the default.) - Trap: Send an SNMP trap message. - Shutdown: Disable the port. - Trap and Shutdown: Send an SNMP trap message and disable the port. • Security Status – Enables or disables port security on the port.
3 Configuring the Switch Configuring 802.1x Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
User Authentication 3 • The RADIUS server and client also have to support the same EAP authentication type – MD5. (Some clients have native support in Windows, otherwise the dot1x client must support it.) Displaying 802.1x Global Settings The dot1x protocol includes global parameters that control the client authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
3 Configuring the Switch CLI – This example shows the default protocol settings for 802.1x. For a description of the additional entries displayed in the CLI, See “show dot1x” on page 4-81. Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period: 300 quiet-period: 350 tx-period: 300 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2 802.1X Port Port Name 1/1 1/2 . . .
User Authentication 3 Configuring 802.1x Global Settings The dot1x protocol includes global parameters that control the client authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. The configuration options for parameters are described in this section.
3 Configuring the Switch CLI – This enables re-authentication and sets all of the global parameters for 802.1x.
3 User Authentication Web – Click Security, 802.1x, Port Configuration. Select the authentication mode from the drop-down box and click Apply. Figure 3-29. 802.1X Port Configuration CLI – This example sets the authentication mode to enable 802.1x on port 2, and allows up to ten clients to connect to this port.
3 Configuring the Switch Table 3-30. 802.1X Statistics Parameter Description Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL frame. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator. Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator.
3 Access Control Lists Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
3 Configuring the Switch Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based on the source IP address. - Extended: IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number.
Access Control Lists 3 • SubMask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address.
3 Configuring the Switch • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-7) - TOS – Type of Service level. (Range: 0-15) - DSCP – DSCP priority level. (Range: 0-64) • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Src/Dst Port – Source/destination port number for the specified protocol type.
3 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. Figure 3-34.
3 Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • Source/Destination MAC – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
3 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add. Figure 3-35.
3 Configuring the Switch Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be bound exclusively to one of the basic ACL types (i.e.
Access Control Lists 3 Configuring an IP ACL Mask This mask defines the fields to check in the IP header. Command Usage • Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes. Command Attributes • Src/Dst IP – Specifies the source or destination IP address. Use “Any” to match any address, “Host” to specify a host address (not a subnet), or “IP” to specify a range of addresses.
3 Configuring the Switch Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add. Figure 3-37.
Access Control Lists 3 Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes • Source/Destination MAC – Use “Any” to match any address, “Host” to specify the host address for a single node, or “MAC” to specify a range of addresses. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Bitmask – Address of rule must match this bitmask.
3 Configuring the Switch CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
Filtering IP Addresses for Management Access 3 Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply. Figure 3-39. ACL Port Binding CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.
3 Configuring the Switch • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address.
Port Configuration 3 Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. • Type – Indicates the port type. (1000BASE-T, 1000BASE-SX, 1000BASE-LX or 100BASE-FX) • Admin Status – Shows if the interface is enabled or disabled. • Oper Status – Indicates if the link is Up or Down.
3 Configuring the Switch Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (1000BASE-T, 1000BASE-SX, 1000BASE-LX or 100BASE-FX) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-12.) Configuration: • • • • Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex – Shows the current speed and duplex mode.
Port Configuration 3 CLI – This example shows the connection status for Port 5.
3 Configuring the Switch (The current switch chip only supports symmetric pause frames.) - FC - Supports flow control Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation. (Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem.
Port Configuration 3 CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
3 Configuring the Switch • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN. • STP, VLAN, and IGMP settings can only be made for the entire trunk.
Port Configuration 3 CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Configuring the Switch Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-43. LACP Configuration CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
Port Configuration 3 Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
3 Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply. Figure 3-44.
Port Configuration 3 CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 4-128 Console(config-if)#lacp actor system-priority 3 4-150 Console(config-if)#lacp actor admin-key 120 4-151 Console(config-if)#lacp actor port-priority 128 4-153 Console(config-if)#exit . . .
3 Configuring the Switch Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-46. LACP Port Counters Information CLI – The following example displays LACP counters for port channel 1.
Port Configuration 3 Table 3-47. LACP Settings - Local Side Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Oper State Administrative or operational values of the actor’s state parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
3 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Port Configuration 3 Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-50. LACP Port Settings - Remote Side CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
3 Configuring the Switch Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for each port.
3 Port Configuration CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
3 Configuring the Switch Web – Click Port, Mirror. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 3-52. Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port. Note that default mirroring under the CLI is for both received and transmitted packets.
3 Port Configuration Web - Click Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply. Figure 3-53. Output Rate Limit Port Configuration CLI - This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps.
3 Configuring the Switch Statistical Values Table 3-54. Displaying Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol. Received Multicast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer.
3 Port Configuration Table 3-54. Displaying Port Statistics Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision.
3 Configuring the Switch Table 3-54. Displaying Port Statistics Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error. 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Port Configuration 3 Figure 3-55.
3 Configuring the Switch CLI – This example shows statistics for port 13.
3 Alcatel Mapping Adjacency Protocol (AMAP) • Common – The port has detected an adjacent switch and periodically sends “Hello” packets to determine that it is still present. • Passive – A port enters this state if there is no response to a Discovery “hello” packet. This is a receive-only state and no “Hello” packets are transmitted. If a “Hello” packet is received from an adjacent switch, the port enters the Common state and then transmits a “Hello” packet in reply.
3 Configuring the Switch Web – Click Alcatel, AMAP, Information. Figure 3-57. AMAP Information CLI – There is no equvilent CLI command to display detected devices. Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
3 Address Table Settings Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-58. Setting a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
3 Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-59. Setting a Dynamic Address Table CLI – This example also displays the address table entries for port 1.
Spanning Tree Algorithm Configuration 3 Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-60. Address Aging CLI – This example sets the aging time to 400 seconds. Console(config)#mac-address-table aging-time 400 Console(config)# 4-159 Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
3 Configuring the Switch Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology.
Spanning Tree Algorithm Configuration 3 • Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
3 Configuring the Switch • Root Hold Time – The interval (in seconds) during which no more than two bridge configuration protocol data units shall be transmitted by this node. • Max hops – The max number of hop counts for the MST region. • Remaining hops – The remaining number of hop counts for the MST instance. • Transmission limit – The minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. • Path Cost Method – The path cost is used to determine the best path between devices.
Spanning Tree Algorithm Configuration 3 Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
3 Configuring the Switch • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
Spanning Tree Algorithm Configuration 3 Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. • Long: Specifies 32-bit based values that range from 1-200,000,000. (This is the default.) • Short: Specifies 16-bit based values that range from 1-65535.
3 Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-63.
3 Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
3 Configuring the Switch • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-114. • Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3-114 (i.e.
Spanning Tree Algorithm Configuration 3 • Internal path cost – The path cost for the MST. See the proceeding item. • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops.
3 Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status : enable Role : disable State : discarding External path cost : 10000 Internal path cost : 10000 Priority : 128 Designated cost : 200000 Designated port : 128.5 Designated root : 61440.0.0000E9313131 Designated bridge : 61440.0.
3 Spanning Tree Algorithm Configuration • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
3 Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-66. STA Port Configuration CLI – This example sets STA attributes for port 7.
3 Spanning Tree Algorithm Configuration To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance.
3 Configuring the Switch CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.) :20 Root Forward Delay (sec.
Spanning Tree Algorithm Configuration 3 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes • MST Instance ID – Instance identifier to configure. (Range: 0-57; Default: 0) The other attributes are described under “Displaying Interface Settings,” page 3-111. Web – Click Spanning Tree, MSTP, Port Information or Trunk Information.
3 Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 3-104), the settings for other instances only apply to the local spanning tree.
Spanning Tree Algorithm Configuration 3 Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 3-111 for additional information.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-69. MSTP Port Configuration CLI – This example sets the MSTP attributes for port 4.
3 VLAN Configuration VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.
3 Configuring the Switch Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.
3 VLAN Configuration Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs (VLAN Index)” on page 3-130). But you can still enable GVRP on these edge switches, as well as on the core switches in the network. Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 7 8 15 16 14 18 19 Figure 3-71.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, GVRP Status. Enable or disable GVRP, and click Apply. Figure 3-72. GVRP Status CLI – This example enables GVRP for the switch. Console(config)#bridge-ext gvrp Console(config)# 4-193 Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number* – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.
VLAN Configuration 3 CLI – Enter the following command.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-74. VLAN Current Table Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational.
3 VLAN Configuration Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes • Current – Lists all the current VLAN groups created for this system. Up to 255 VLAN groups can be defined. VLAN 1 is the default untagged VLAN. • New – Allows you to specify the name and numeric identifier for a new VLAN group.
3 Configuring the Switch CLI – This example creates a new VLAN.
VLAN Configuration 3 • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN. All packets transmitted by the port will be tagged, that is, carry a tag and therefore carry VLAN or CoS information. - Untagged: Interface is a member of the VLAN. All packets transmitted by the port will be untagged, that is, not carry a tag and therefore not carry VLAN or CoS information.
3 Configuring the Switch Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership. Select an interface from the scroll-down box (Port or Trunk).
VLAN Configuration 3 Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
3 Configuring the Switch • GARP Leave Timer* – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer* – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group.
3 VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
3 Configuring the Switch Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
3 VLAN Configuration Configuring Protocol Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option for the LLC_other frame type is IPX_raw. The options for all other frames types include: IP, ARP, RARP. Web – Click VLAN, Protocol VLAN, Configuration.
3 Configuring the Switch • When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: - If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
Class of Service Configuration 3 Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
3 Configuring the Switch Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-84. Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3.
3 Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table. Table 3-85.
3 Configuring the Switch Web – Click Priority, Traffic Classes. Mark an interface and click Select to display the current mapping of CoS values to output queues. Assign priorities to the traffic classes (i.e., output queues) for the selected interface, then click Apply. Figure 3-87. Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
Class of Service Configuration 3 Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
3 Configuring the Switch Web – Click Priority, Queue Scheduling. Select the interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-89. Queue Scheduling CLI – The following example shows how to assign WRR weights to each of the priority queues.
3 Class of Service Configuration Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port. If priority bits are used, the ToS octet may contain three bits for IP Precedence or six bits for Differentiated Services Code Point (DSCP) service.
3 Configuring the Switch Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth). Bits 6 and 7 are used for network control, and the other bits for various application types.
Class of Service Configuration 3 CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
3 Configuring the Switch Note: IP DSCP settings apply to all interfaces. Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-94. Mapping IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
3 Class of Service Configuration Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes • • • • • IP Port Priority Status – Enables or disables the IP port priority. Interface – Selects the port or trunk interface to which the settings apply.
3 Configuring the Switch CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. Console(config)#map ip port Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)#end Console#show map ip port ethernet 1/5 TCP port mapping status: disabled Port Port no.
3 Class of Service Configuration Web – Click Priority, ACL CoS Priority. Enable mapping for any port, select an ACL from the scroll-down list, then click Apply. Figure 3-96. ACL CoS Priority CLI – This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 24.
3 Configuring the Switch Command Attributes • Port – Port identifier. • Name1 – Name of ACL. • Type – Type of ACL (IP or MAC). • Precedence – IP Precedence value. (Range: 0-7) • DSCP – Differentiated Services Code Point value. (Range: 0-63) • 802.1p Priority – Class of Service value in the IEEE 802.1p priority tag. (Range: 0-7; 7 is the highest priority) 1 For information on configuring ACLs, see page 3-61. Web – Click Priority, ACL Marker. Select a port and an ACL rule.
3 Quality of Service Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.
3 Configuring the Switch Use the Policy Map page to specify a policy map. Then use the Class Map page to configure a policy map. And finally, use the set and police commands to specify the match criteria, where the: - set - classifies the service that an IP packet will receive. - police - defines the maximum throughput, burst rate, drop rate, and the action that results from a policy violation. Configuring a Class Map A class map is used for matching packets to a specified class.
Quality of Service 3 Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-98. Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
3 Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Create a policy map, specify the name of the policy map, and then use the class parameters to configure policies for traffic that matches criteria defined in a class map. A policy map can contain multiple class statements that can be applied to the same interface with the Service Policy Settings Page.
Quality of Service 3 Policy Table - Policy Name — Name of policy map. Class Name — Name of class map. Action — Classification of IP traffic by CoS, DSCP, or IP Precedence. Meter — Defines the maximum throughput, burst rate, and the action that results from a policy violation. -Rate (bps) — Rate in kilobits per second. -Burst (byte) — Burst in bytes. - Exceed Action — Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced.
3 Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-99.
3 Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to drop any violating packets.
3 Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Multicast Filtering 3 Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
3 Configuring the Switch Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-101. IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
3 Multicast Filtering Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-102. Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
3 Configuring the Switch Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-103. Static Multicast Router Port Configuration CLI – This example configures port 11 as a multicast router port within VLAN 1.
Multicast Filtering 3 Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-104. IP Multicast Registration Table CLI – This example displays all the known multicast services supported on VLAN 1, along with the ports propagating the corresponding services.
3 Configuring the Switch Command Attribute • Interface – Activates the Port or Trunk scroll down list. • VLAN ID – Selects the VLAN to propagate all multicast traffic coming from the attached multicast router/switch. • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table.
Configuring Domain Name Service 3 Configuring General DNS Server Parameters Command Usage • To enable DNS service on this switch, first configure one or more name servers, and then enable domain lookup status. • To append domain names to incomplete host names received from a DNS client (i.e., not formatted with dotted notation), you can specify a default domain name or a list of domain names to be tried in sequential order. • If there is no domain list, the default domain name is used.
3 Configuring the Switch Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-106. DNS Configuration CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.com.
3 Configuring Domain Name Service Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. • Servers or other network devices may support one or more connections via multiple IP addresses.
3 Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-107. DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console#show host Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias 1.
Configuring Domain Name Service 3 Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable.
3 Configuring the Switch CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 ALIAS 6 4 CNAME 7 4 ALIAS 8 4 CNAME 9 4 ALIAS 10 4 CNAME Console# 3-172 IP 207.46.134.222 207.46.134.190 207.46.134.155 207.46.249.222 207.46.249.27 POINTER TO:4 207.46.68.27 POINTER TO:6 65.54.131.192 POINTER TO:8 165.193.72.190 TTL 51 51 51 51 51 51 71964 71964 605 605 87 4-128 DOMAIN www.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Entering Commands 4 Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
4 Command Line Interface Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin.
4 Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 4-2.
4 Command Line Interface Table 4-3. Keystroke Commands Keystroke Function Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line. Ctrl-W Deletes the last word typed.
Command Groups 4 Command Groups The system commands can be broken down into the functional groups shown below. Table 4-4.
4 Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) PE (Privileged Exec) GC (Global Configuration) ACL (Access Control List Configuration) IC (Interface Configuration) LC (Line Configuration) VC (VLAN Database Configuration) MST (Multiple Spanning Tree) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
Line Commands 4 Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
4 Command Line Interface Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
Line Commands 4 Command Usage • When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e.
4 Command Line Interface Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds.
Line Commands 4 Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. • This command applies to both the local console and Telnet connections.
4 Command Line Interface databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
4 Line Commands Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
4 Command Line Interface Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect Use this command to terminate an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection.
General Commands 4 Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 Vty configuration: Password threshold: 3 times Interactive timeout: 65535 Console# General Commands Table 4-6.
4 Command Line Interface Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-26.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
4 General Commands prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. See “Understanding Command Modes” on page 4-5. Default Setting None Command Mode Privileged Exec Example Console#configure Console(config)# Related Commands end (4-22) show history This command shows the contents of the command history buffer.
4 Command Line Interface modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command.
System Management Commands 4 Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
4 Command Line Interface Table 4-7.
System Management Commands 4 hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section.
4 Command Line Interface • {0 | 7} - 0 means plain password, 7 means encrypted password. • password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting • The default access level is Normal Exec. • The factory defaults for the user names and passwords are: Table 4-10.
4 System Management Commands Command Mode Global Configuration Command Usage • You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command (page 4-19). • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.
4 Command Line Interface Command Mode Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, Web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.
System Management Commands 4 Example Console#show management all-client Management Ip Filter Http-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Snmp-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Telnet-Client: Start ip address End ip address ----------------------------------------------1. 192.168.1.19 192.168.1.
4 Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-30) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
System Management Commands 4 • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x and Netscape Navigator 4.
4 Command Line Interface Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (4-30) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems.
System Management Commands 4 Table 4-14.
4 Command Line Interface 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6.
System Management Commands 4 Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (4-37) show ssh (4-39) ip ssh timeout Use this command to configure the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
4 Command Line Interface ip ssh authentication-retries Use this command to configure the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
System Management Commands 4 delete public-key Use this command to delete the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private).
4 Command Line Interface Related Commands ip ssh crypto zeroize (4-38) ip ssh save host-key (4-38) ip ssh crypto zeroize Use this command to clear the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
System Management Commands 4 Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-37) show ip ssh Use this command to display the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh Use this command to display the current SSH server connections.
4 Command Line Interface Table 4-15. Secure Shell Information Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
System Management Commands 4 Example Console#show public-key host Host: RSA: 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4
4 Command Line Interface Command Usage The logging process controls error messages saved to switch memory. You can use the logging history command to control the type of error messages that are stored. Example Console(config)#logging on Console(config)# Related Commands logging history (4-42) clear logging (4-44) logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level.
4 System Management Commands Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server.
4 Command Line Interface Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
4 System Management Commands Command Mode Privileged Exec Example Console#clear logging Console# Related Commands show logging (4-45) show logging This command displays the logging configuration, along with any system and event messages stored in memory. Syntax show logging {flash | ram | sendmail | trap} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
4 Command Line Interface Table 4-18. System Logging Parameters Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. Messages Any system and event messages stored in memory. The following example displays settings for the trap function.
4 System Management Commands Table 4-20. SMTP Alert Commands Command Function Mode Page logging sendmail Enables SMTP event handling GC 4-49 show logging sendmail Displays SMTP event handler settings NE, PE 4-49 logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip_address ip_address - IP address of an SMTP server that will be sent alert messages for event handling.
4 Command Line Interface Command Mode Global Configuration Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
4 System Management Commands Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
4 Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Table 4-21.
System Management Commands 4 Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast Console# Related Commands sntp server (4-51) sntp poll (4-52) show sntp (4-52) sntp server This command sets the IP address of the servers to which SNTP time requests are issued.
4 Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global Configuration Command Usage This command is only applicable when the switch is set to SNTP client mode.
4 System Management Commands clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • • • • • name - Name of timezone, usually an acronym. (Range: 1-29 characters) hours - Number of hours before/after UTC. (Range: 1-12 hours) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar set 15:12:34 February 1 2002 Console# System Status Commands Table 4-22.
System Management Commands 4 Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
4 Command Line Interface Example Console#show startup-config building startup-config, please wait..... ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
System Management Commands 4 show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
4 Command Line Interface Example Console#show running-config building running-config, please wait..... ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
System Management Commands 4 show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-8. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System description: OmniStack*24 10/100/1000 System OID string: 1.3.6.1.4.1.6486.800.1.1.
4 Command Line Interface show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
4 System Management Commands Example Console#show version Unit1 Serial number Hardware version Number of ports Main power status Redundant power status Agent(Primary) Unit id Loader version Boot rom version Operation code version Console# :A329025054 :R01 :24 :up :not present :1 :2.1.0.2 :2.0.2.11 :1.0.0.3 Frame Size Commands Table 4-23. Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC Page 4-61 jumbo frame This command enables support for jumbo frames.
4 Command Line Interface Example Console(config)#jumbo frame Console(config)# Flash/File Commands These commands are used to manage the system code or configuration files. Table 4-24.
4 Flash/File Commands Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.
4 Command Line Interface The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Flash/File Commands 4 Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (4-65) delete public-key (4-64) dir This command displays a list of files in flash memory.
4 Command Line Interface Example The following example shows how to display all file information: Console#dir file name file type startup size (byte) -------------------------------- -------------- ------- ----------diag2.0.2.2 Boot-Rom image Y 813880 4524C_61 Operation Code Y 2184064 Factory_Default_Config.
Authentication Commands 4 Default Setting None Command Mode Global Configuration Command Usage • A colon (:) is required after the specified file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-65) whichboot (4-66) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods.
4 Command Line Interface authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. • tacacs - Use TACACS server password. Default Setting Local Command Mode Global Configuration Command Usage • RADIUS uses UDP while TACACS+ uses TCP.
4 Authentication Commands authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-19). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only. • tacacs - Use TACACS server password.
4 Command Line Interface RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Table 4-28.
4 Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
4 Command Line Interface radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Authentication Commands 4 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Table 4-29.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
Authentication Commands 4 Port Security Commands These commands can be used to disable the learning function or manually specify secure addresses for a port. You may want to leave port security off for an initial training period (i.e., enable the learning function) to register all the current VLAN members on the selected port, and then enable port security to ensure that the port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port.
4 Command Line Interface • To use port security, first allow the switch to dynamically learn the pair for frames received on a port for an initial training period, and then enable port security to stop address learning. Be sure you enable the learning function long enough to ensure that all valid VLAN members have been registered on the selected port.
4 Authentication Commands Table 4-31. 802.
4 Command Line Interface dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Authentication Commands 4 dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
4 Command Line Interface dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Global Configuration Example Console(config)#dot1x re-authentication Console(config)# dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Authentication Commands 4 Command Mode Global Configuration Example Console(config)#dot1x timeout re-authperiod 300 Console(config)# dot1x timeout tx-period This command sets the time that the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
4 Command Line Interface Command Usage This command displays the following information: • Global 802.1X Parameters – Displays the global port access control parameters that can be configured for this switch as described in the preceding pages, including reauth-enabled (page 4-80), reauth-period (page 4-80), quiet-period (page 4-80), tx-period (page 4-81), and max-req (page 4-78).
4 Access Control List Commands Example Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period: 300 quiet-period: 350 tx-period: 300 supp-timeout: 30 server-timeout: 30 reauth-max: 2 max-req: 2 802.1X Port Summary Port Name 1/1 1/2 . . 1/23 1/24 Status disabled disabled Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a disabled disabled Single-Host Single-Host ForceAuthorized ForceAuthorized yes n/a 802.1X Port Details 802.
4 Command Line Interface • MAC ACL mode (MAC-ACL) filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060). The following restrictions apply to ACLs: • This switch supports ACLs for both ingress and egress filtering. However, you can only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one IP ACL and one MAC ACL to any port for egress filtering.
Access Control List Commands 4 IP ACLs Table 4-33.
4 Command Line Interface Command Usage • An egress ACL must contain all deny rules. • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules.
Access Control List Commands 4 Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# Related Commands access-list ip (4-85) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL.
4 Command Line Interface Default Setting None Command Mode Extended ACL Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.
Access Control List Commands 4 This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any tcp control-code 2 2 Console(config-ext-acl)# Related Commands access-list ip (4-85) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL.
4 Command Line Interface Command Mode Global Configuration Command Usage • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is applied to a packet. • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.
Access Control List Commands 4 Default Setting None Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. • First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. • If you enter dscp, you cannot enter tos or precedence.
4 Command Line Interface This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.
Access Control List Commands 4 This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
4 Command Line Interface Related Commands mask (IP ACL) (4-90) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. • out – Indicates that this list applies to egress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
4 Access Control List Commands Related Commands ip access-group (4-94) map access-list ip This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping. Syntax [no] map access-list ip acl_name cos cos-value • acl_name – Name of the ACL. (Maximum length: 16 characters) • cos-value – CoS value.
4 Command Line Interface show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number.
Access Control List Commands 4 Command Usage • You must configure an ACL mask before you can change frame priorities based on an ACL rule. • Traffic priorities may be included in the IEEE 802.1p priority tag. This tag is also incorporated as part of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority keywords. • The IP frame header also includes priority bits in the Type of Service (ToS) octet.
4 Command Line Interface MAC ACLs Table 4-35.
Access Control List Commands 4 • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules. Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny 4-99 mac access-group (4-104) show mac access-list (4-100) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e.
4 Command Line Interface • • • • • • • • • any – Any MAC source or destination address. host – A specific MAC address. source – Source MAC address. destination – Destination MAC address range with bitmask. address-bitmask* – Bitmask for MAC address (in hexidecimal format). vid – VLAN ID. (Range: 1-4095) vid-bitmask* – VLAN bitmask. (Range: 1-4095) protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) protocol-bitmask* – Protocol bitmask. (Range: 600-fff hex.
Access Control List Commands 4 Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 4-99 mac access-group (4-104) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs.
4 Command Line Interface mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask} [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] • pktformat – Check the packet format field. (If this keyword must be used in the mask, the packet format must be specified in ACL rule to match.) • any – Any address will be matched.
Access Control List Commands 4 Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
4 Command Line Interface show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs.
4 Access Control List Commands Related Commands show mac access-list (4-100) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (4-104) map access-list mac This command sets the output queue for packets matching an ACL rule.
4 Command Line Interface Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (4-200) show map access-list mac (4-106) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number.
4 Access Control List Commands Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage You must configure an ACL mask before you can change frame priorities based on an ACL rule. Example Console(config)#interface ethernet 1/12 Console(config-if)#match access-list mac a set priority 0 Console(config-if)# Related Commands show marking (4-97) ACL Information Table 4-37.
4 Command Line Interface Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 0.0.15.255 IP extended access-list bob: permit 10.7.1.1 0.0.0.255 any permit 192.168.1.0 0.0.0.255 any dport 80 permit 192.168.1.0 0.0.0.
SNMP Commands 4 Table 4-38. SNMP Commands Command Function Mode Page snmp-server location Sets the system location string GC 4-110 snmp-server host Specifies the recipient of an SNMP notification operation GC 4-111 snmp-server enable traps Enables the device to send SNMP traps (i.e.
4 Command Line Interface Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
4 SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-110) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [version {1 | 2c}] [udp-port port] no snmp-server host host-addr - host-addr - Internet address of the host (the targeted recipient).
4 Command Line Interface Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (4-112) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps (SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure traps.
SNMP Commands 4 show snmp This command checks the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1.
4 Command Line Interface snmp-server Use this command to enable the SNMP v3 engine. Use the no form to disable the engine. Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# snmp-server engine-id Use this command to configure an identification string for the SNMP v3 engine. Use the no form to restore the default. Syntax snmp-server engine-id local engineid-string no snmp-server engine-id local engineid-string - String identifying the engine ID.
SNMP Commands 4 show snmp engine-id Use this command to show the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Table 4-1. SNMP Engine ID Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmpEngineID was last configured.
4 Command Line Interface Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wildcard is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.
4 SNMP Commands snmp-server group Use this command to add an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] no snmp-server group groupname • groupname - Name of an SNMP group. (Range: 1-32 characters) • v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
4 Command Line Interface Example Console#show snmp group groupname: r&d security model: v3 readview: v2defaultview writeview: daily notifyview: none storage-type: permanent row status: active groupname: DefaultROGroup security model: v1 readview: v2defaultview writeview: none notifyview: none storage-type: permanent row status: active groupname: DefaultROGroup security model: v2c readview: v2defaultview writeview: none notifyview: none storage-type: permanent row status: active groupname: DefaultRWGroup s
4 SNMP Commands snmp-server user Use this command to add a user to an SNMP group, restricting the user to a specific SNMP Read and a Write View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username • username - Name of user connecting to the SNMP agent. (Range: 1-32 characters) • groupname - Name of an SNMP group to which the user is assigned.
4 Command Line Interface Example Console#show snmp user EngineId: 01000000000000000000000000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active Console# Table 4-4. SNMP User Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3.
DHCP Commands 4 Command Mode Interface Configuration (VLAN) Command Usage This command is used to include a client identifier in all communications with the DHCP server. The identifier type depends on the requirements of your DHCP server. Example Console(config)#interface vlan 2 Console(config-if)#ip dhcp client-identifier hex 00-00-e8-66-65-72 Console(config-if)# Related Commands ip dhcp restart client (4-121) ip dhcp restart client This command submits a BOOTP or DHCP client request.
4 Command Line Interface DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command. .
DNS Commands 4 Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device. Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.
4 Command Line Interface Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-124) ip name-server (4-125) ip domain-lookup (4-126) ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e.
DNS Commands 4 Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.
4 Command Line Interface Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.
DNS Commands 4 Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (4-123) ip name-server (4-125) show hosts This command displays the static host name-to-address mapping table.
4 Command Line Interface Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 CNAME 6 4 CNAME 7 4 CNAME 8 4 ALIAS Console# IP 10.2.44.96 10.2.44.3 66.218.71.84 66.218.71.83 66.218.71.
Interface Commands 4 Example Console#clear dns cache Console#show dns cache NO FLAG TYPE IP Console# TTL DOMAIN Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-42.
4 Command Line Interface interface This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id interface • ethernet unit/port - unit - This is device 1. - port - Port number.
4 description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Example The following example adds a description to port 24.
4 Command Line Interface Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To set the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface.
4 Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-133) speed-duplex (4-131) capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
4 Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-132) speed-duplex (4-131) flowcontrol (4-134) flowcontrol This command enables flow control. Use the no form to disable flow control.
4 Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-132) capabilities (flowcontrol, symmetric) (4-133) combo-forced-mode This command forces the port type selected for combination ports 21 - 24. Use the no form to restore the default mode.
4 Command Line Interface Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
4 Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - This is device 1. - port - Port number.
4 Command Line Interface show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 Command Line Interface show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
4 Mirror Port Commands Table 4-43. Interfaces Switchport Parameters Field Description Acceptable frame type Shows if acceptable VLAN frames include all types or tagged frames only (page 4-183). Native VLAN Indicates the default Port VLAN ID (page 4-184). Priority for untagged traffic Indicates the default priority for untagged frames (page 4-197). Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-194).
4 Command Line Interface Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner. • The destination port is set by specifying an Ethernet interface. • The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port.
AMAP Configuration 4 Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------Destination port(listen port):Eth1/1 Source port(monitored port) :Eth1/6 Mode :RX/TX Console# AMAP Configuration The AMAP protocol discovers adjacent switches by sending and receiving AMAP “Hello” packets on active Spanning Tree p
4 Command Line Interface amap enable This command enables AMAP on the switch. Use the amap disable command to disable the feature. Syntax amap {enable | disable} • enable – Enables AMAP • disable – Disables AMAP Default Setting Enabled Command Mode Global Configuration Example Console(config)#amap enable Console(config) amap run This command performs the same function as the amap enable/disable command. Use the no form to disable AMAP on the switch.
AMAP Configuration 4 Command Mode Global Configuration Example Console(config)#amap discovery timer 3000 Console(config)# amap common timer This command sets the time (in seconds) that switch ports in the Common state wait before sending a “Hello” packet to an adjacent switch. If there is no reply packet from an adjacent switch after two timeout intervals, the switch entry for the port will be removed and port will revert to the Discovery state.
4 Command Line Interface Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
Link Aggregation Commands 4 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
4 Command Line Interface Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Link Aggregation Commands 4 lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
4 Command Line Interface Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established.
4 Link Aggregation Commands Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
4 Command Line Interface • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Link Aggregation Commands 4 lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
4 Command Line Interface Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Channel group : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . . Table 4-48.
Link Aggregation Commands 4 Table 4-49. LACPDUs Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
4 Command Line Interface Table 4-50. LACP Neighbours Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner. Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner.
4 Address Table Commands Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 4-52.
4 Command Line Interface Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
Address Table Commands 4 Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
4 Command Line Interface Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec.
Spanning Tree Commands 4 Table 4-53.
4 Command Line Interface Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) • mstp - Multiple Spanning Tree (IEEE 802.
4 Spanning Tree Commands • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. - Be careful when switching between spanning tree modes.
4 Command Line Interface spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) -1].
Spanning Tree Commands 4 Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
4 Command Line Interface spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method • long - Specifies 32-bit based values that range from 1-200,000,000. • short - Specifies 16-bit based values that range from 1-65535.
Spanning Tree Commands 4 Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst-configuration Use this command to change to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address.
4 Command Line Interface Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Spanning Tree Commands 4 • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384. Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree.
4 Command Line Interface Command Mode MST Configuration Command Usage The MST region name (page 4-169) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
4 Spanning Tree Commands spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5.
4 Command Line Interface • Path cost takes precedence over port priority. • When the spanning-tree pathcost method (page 4-166) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default.
Spanning Tree Commands 4 Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
4 Command Line Interface • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time. Fast forwarding can achieve quicker convergence for end-node workstations and servers, and also overcome other STA related timeout problems. (Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end-node device.
4 Spanning Tree Commands Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 1-4094, no leading zeroes) • cost - Path cost for an interface.
4 Command Line Interface spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority • instance_id - Instance identifier of the spanning tree. (Range: 1-4094, no leading zeroes) • priority - Priority for an interface.
Spanning Tree Commands 4 Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
4 Command Line Interface • For a description of the items displayed under “Spanning-tree information,” see “Configuring Global Settings” on page 3-107. For a description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-111.
VLAN Commands 4 Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------Configuration name:00 30 f1 ab 77 7c Revision level:0 Instance Vlans -------------------------------------------------------------0 1-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
4 Command Line Interface vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
4 VLAN Commands Command Mode VLAN Database Configuration Command Usage • • • • no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active). You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
4 Command Line Interface Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-135) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
VLAN Commands 4 Related Commands switchport acceptable-frame-types (4-183) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). • If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded.
VLAN Commands 4 Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add.
4 Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
VLAN Commands 4 Displaying VLAN Information Table 4-57. Displaying VLAN Information Command Function Mode Page show vlan Shows VLAN information NE, PE 4-187 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-138 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-140 show vlan This command shows VLAN information. Syntax show vlan [id vlan-id | name vlan-name] • id - Keyword to be followed by the VLAN ID.
4 Command Line Interface When a frame is received at a port, its VLAN membership can then be determined based on the protocol type in use by the inbound packets. Table 4-58.
4 VLAN Commands Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface.
4 Command Line Interface Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups. Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group.
4 VLAN Commands Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID Vlan ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This section describes commands used to configure private VlANs.
4 Command Line Interface • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN. Example This example enables the private VLAN, and then sets port 24 as the uplink and ports 1-8 as the downlinks. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/24 down-link ethernet 1/1-8 Console(config)# show pvlan This command displays the configured private VLAN.
GVRP and Bridge Extension Commands 4 bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
4 Command Line Interface switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - This is device 1.
4 GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
4 Command Line Interface show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows all GARP timers.
4 Priority Commands Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.
4 Priority Commands Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
4 Command Line Interface queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values. Syntax queue cos-map queue_id [cos1 ... cosn] no queue cos-map • queue_id - The ID of the priority queue. Ranges are 0 to 7, where 7 is the highest priority queue. • cos1 .. cosn - The CoS values that are mapped to the queue ID. It is a space-separated list of numbers.
4 Priority Commands Related Commands show queue cos-map (4-202) show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#sh queue mode Queue mode: strict Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues.
4 Command Line Interface show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Example Console#show queue Information of Eth CoS Value : 0 Priority Queue: 2 Console# cos-map ethernet 1/1 1/1 1 2 3 4 5 6 7 0 1 3 4 5 6 7 Priority Commands (Layer 3 and 4) Table 4-64.
4 Priority Commands map ip port (Global Configuration) Use this command to enable IP port mapping (i.e., class of service mapping for TCP/UDP sockets). Use the no form to disable IP port mapping. Syntax [no] map ip port Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
4 Command Line Interface Example The following example shows how to map HTTP traffic to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)# map ip precedence (Global Configuration) This command enables IP precedence mapping (i.e., IP Type of Service). Use the no form to disable IP precedence mapping.
4 Priority Commands Default Setting The list below shows the default priority mapping. Table 4-65. Mapping IP Precedence IP Precedence Value 0 1 2 3 4 5 6 7 CoS Value 0 1 2 3 4 5 6 7 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
4 Command Line Interface Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp • dscp-value - 8-bit DSCP value.
Priority Commands 4 Example The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# map access-list ip This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping.
4 Command Line Interface show map ip port Use this command to show the IP port priority map. Syntax show map ip port [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no.
Priority Commands 4 Command Mode Privileged Exec Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --Eth 1/ 5 0 0 Eth 1/ 5 1 1 Eth 1/ 5 2 2 Eth 1/ 5 3 3 Eth 1/ 5 4 4 Eth 1/ 5 5 5 Eth 1/ 5 6 6 Eth 1/ 5 7 7 Console# Related Commands map ip precedence (Global Configuration) (4-204) map ip precedence (Interface Configuration) (4-204) show map ip dscp This command shows the IP DSCP priority map.
4 Command Line Interface Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . . Eth 1/ 1 61 0 Eth 1/ 1 62 0 Eth 1/ 1 63 0 Console# Related Commands map ip dscp (Global Configuration) (4-205) map ip dscp (Interface Configuration) (4-206) Quality of Service Commands The commands described in this section are used to configure QoS classification criteria and service policies.
Quality of Service Commands 4 To create a service policy for a specific category or ingress traffic, follow these steps: 1. 2. 3. 4. 5. 6. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specify type of traffic based on an access list, a list of DSCP or IP Precedence values, or a list of VLANs.
4 Command Line Interface • The class map is used with a policy map (page 4-213) to create a service policy (page 4-216) for a specific interface that defines packet classification, service tagging, and bandwidth policing. • After entering the Class Map configuration mode, use the match command (page 4-212) to specify the required classification criteria.
4 Quality of Service Commands Example This example creates a class map called “rd-class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class Console(config-cmap)#match ip dscp 3 Console(config-cmap)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode.
4 Command Line Interface class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting None Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode.
4 Quality of Service Commands Default Setting None Command Mode Policy Map Class Configuration Example This example sets the DSCP value to 3 for all traffic assigned to this policy class. Console(config)#policy-map rd_policy Console(config-pmap-c)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)# police This command defines an policer for classified traffic. Use the no form to remove a policer.
4 Command Line Interface Example This example creates a policer that sets the maximum burst rate to 20 Kbytes, the average rate to 1522 bps, and the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 1000 1522 exceed-action drop Console(config-pmap-c)# service-policy This command applies a policy map defined by the policy-map command to a particular interface.
4 Quality of Service Commands Command Mode Privileged Exec Example Console#show class-map Class Map match-any rd_class Match ip dscp 3 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map. (Range: 1-32 characters) • class-map-name - Name of the class map.
4 Command Line Interface Command Mode Privileged Exec Example Console#show policy-map ethernet 1/1 Policy Map rd_policy class rd_class set ip dscp 3 Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
4 Multicast Filtering Commands Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
4 Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
4 Multicast Filtering Commands Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled Query count: 2 Query interval: 125 sec Query max response time: 10 sec Router port expire time: 300 sec IGMP snooping version: Version 2 Console# show mac-address-table multicast This command shows known multicast addresses.
4 Command Line Interface IGMP Query Commands (Layer 2) Table 4-70.
4 Multicast Filtering Commands Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-maxresponse-time.
4 Command Line Interface ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-30) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect.
Multicast Filtering Commands 4 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (4-220) Static Multicast Routing Commands Table 4-71.
4 Command Line Interface Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
IP Interface Commands 4 IP Interface Commands There are no IP addresses assigned to this switch by default. You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment. Basic IP Configuration Table 4-72.
4 Command Line Interface Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the switch to existing IP subnets. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the configuration program.
IP Interface Commands 4 Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (4-230) ip dhcp restart Use this command to submit a BOOTP or DCHP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command.
4 Command Line Interface Command Mode Privileged Exec Example Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console# Related Commands show ip redirects (4-230) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.
IP Interface Commands 4 Command Usage • Use the ping command to see if another site on the network can be reached. • Following are some results of the ping command: - Normal response - The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
4 Command Line Interface 4-232
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) AMAP Alcatel Mapping Adjacency Protocol SNMPv3 Management access via MIB database Trap management to specified hosts DHCP Client DNS Server Port Configuration 1000BASE-T: 10/100/1000 Mbps, half/full duplex 1000BASE-SX/LX: 1000 Mbps, full duplex Flow Control Full Duplex: IEEE 802.
A Software Specifications VLAN Support Up to 255 groups; port-based, protocol-based, or tagged (802.
Management Information Bases A IEEE 802.1D Spanning Tree Protocol and traffic priorities IEEE 802.1p Priority tags IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1x Port Authentication ARP (RFC 826) DHCP (RFC 1541) HTTPS ICMP (RFC 792) IGMP (RFC 1112) IGMPv2 (RFC 2236) RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNTP (RFC 2030) SNMP (RFC 1157) SNMPv2 (RFC 1907) SSH (Version 2.
A Software Specifications SNMP Target MIB, SNMP Notification MIB (RFC 2573) SNMP User-Based SM MIB (RFC 2574) SNMP View Based ACM MIB (RFC 2575) SNMP Community MIB (RFC 2576) A-4
Appendix B: Troubleshooting Table B-1. Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure you have configured the agent with a valid IP address, subnet Web browser, or SNMP mask and default gateway. software • If you are trying to connect to the agent via the IP address for a tagged VLAN group, your management station must include the appropriate tag in its transmitted frames.
B B-2 Troubleshooting
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Glossary Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MD5 An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Glossary Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet.
Glossary Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. User Datagram Protocol (UDP) UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Index Numerics 802.
Index H M hardware version, displaying 3-10, 4-60 HTTPS 3-45, 4-30 HTTPS, secure server 3-45, 4-30 main menu 3-3 Management Information Bases (MIBs) A-3 mirror port, configuring 3-91, 4-141 MSTP 4-162 global settings 3-116, 4-160 interface settings 4-161 multicast filtering 3-160, 4-218 multicast groups 3-164, 4-221 displaying 4-221 static 3-164, 4-219, 4-221 multicast services configuring 3-165, 4-219 displaying 3-164, 4-221 multicast, static router port 3-163, 4-225 I IEEE 802.
Index problems, troubleshooting B-1 protocol migration 3-115, 4-176 Q queue weights 3-143, 4-199 R RADIUS, logon authentication 3-42, 4-70 rate limits, setting 3-92, 4-146 remote logging 4-44 restarting the system 3-29, 4-22 RSTP 3-103, 4-162 global configuration 3-104, 4-162 S secure shell 3-47, 4-32 Secure Shell configuration 3-47, 4-35, 4-36 serial port configuring 4-10 Simple Network Management Protocol See SNMP SNMP 3-31 community string 3-33, 4-109 enabling traps 3-34, 4-112 filtering IP addresses
Index interface configuration 3-133, 4-183–4-186 private 3-135, 4-191 protocol 3-136, 4-187 V VLANs 3-122–3-136, 4-179–4-192 adding static members 3-130, 3-132, 4-185 creating 3-129, 4-180 description 3-122 displaying basic information 3-126, 4-193 displaying port members 3-127, 4-187 egress mode 3-134, 4-182 Index-4 W Web interface access requirements 3-1 configuration buttons 3-2 home page 3-2 menu list 3-3 panel display 3-3
F1.0.0.
