IntraCore 40240/40480-10G Layer 3 Gigabit Stackable Ethernet Switch User’s Manual
IC40240-10G/IC40480-10G (P/N 99-00837/99-00836) User’s Manual Asante Networks 47709 Fremont Blvd., Fremont, CA 94538 USA SALES 408-435-8388 TECHNICAL SUPPORT 408-435-8388: Worldwide www.asante.com/support support@asante.com Copyright © 2009 Asante. All rights reserved. No part of this document, or any associated artwork, product design, or design concept may be copied or reproduced in whole or in part by any means without the express written consent of Asante.
Management Guide IntraCore 40240-10G Gigabit Ethernet Switch • • • • • Stackable Layer 3 Switch 20 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), 2 10-Gigabit Extender Module Slots, 2 Stacking Ports IntraCore 40480-10G Gigabit Ethernet Switch • • • • • Stackable Layer 3 Switch 44 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), 2 10-Gigabit Extender Module Slots, 2 Stacking Ports
IC40240-10G (99-00837) IC40480-10G (99-00836)
About This Manual Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ii
Contents Section I: Getting Started Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Stack Operations Selecting the Stack Master Selecting the Backup Unit Recovering from Stack Failure or Topology Change Broken Link for Line and Wrap-around Topologies Resilient IP Interface for Management Access Resilient Configuration Renumbering the Stack Ensuring Con
Contents Main Menu 3-4 Chapter 4: Basic Management Tasks Displaying System Information Displaying Switch Hardware/Software Versions Displaying Bridge Extension Capabilities Setting the Switch’s IP Address (IP Version 4) Manual Configuration Using DHCP/BOOTP Setting the Switch’s IP Address (IP Version 6) Configuring an IPv6 Address Configuring an IPv6 General Network Prefix Configuring Neighbor Detection Protocol and Static Entries Configuring Support for Jumbo Frames Managing Firmware Downloading System S
Contents Chapter 6: User Authentication Configuring User Accounts Configuring Local/Remote Logon Authentication Configuring HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Generating the Host Key Pair Importing User Public Keys Configuring the SSH Server Configuring Port Security Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Contents Chapter 10: Spanning Tree Algorithm Displaying Global Settings Configuring Global Settings Displaying Interface Settings Configuring Interface Settings Configuring Multiple Spanning Trees Displaying Interface Settings for MSTP Configuring Interface Settings for MSTP 10-1 10-3 10-6 10-10 10-13 10-16 10-19 10-20 Chapter 11: VLAN Configuration IEEE 802.
Contents Mapping IP Precedence Mapping DSCP Priority Mapping IP Port Priority 13-8 13-10 13-11 Chapter 14: Quality of Service Configuring Quality of Service Parameters Configuring a Class Map Creating QoS Policies Attaching a Policy Map to Ingress Queues 14-1 14-1 14-2 14-4 14-7 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Enabling IGMP Immediate Leave Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for
Contents Displaying Dynamically Learned ARP Entries Displaying Local ARP Entries Displaying ARP Statistics Displaying Statistics for IP Protocols IP Statistics ICMP Statistics UDP Statistics TCP Statistics Configuring Static Routes Displaying the Routing Table Chapter 20: Unicast Routing Configuring the Routing Information Protocol Configuring General Protocol Settings Specifying Network Interfaces for RIP Configuring Network Interfaces for RIP Redistributing Routing Information from Other Domains Displayin
Contents Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups Chapter 22: General Commands enable disable configure show history reload prompt end exit quit Chapter 23: System Management Commands Device Designation Commands hostname switch renumber System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame File
Contents databits parity speed stopbits disconnect show line Event Logging Commands logging on logging history logging host logging facility logging trap clear log show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll sntp update-time show sntp clock timezone clock timezone-predefined clock summer-time (date) clock summer-tim
Contents snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user Chapter 25: User Authentication Commands User Account Commands username enable password Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key s
Contents show ssh show public-key Port Security Commands port security 802.
Contents Chapter 27: Interface Commands interface description speed-duplex negotiation capabilities flowcontrol media-type shutdown switchport broadcast packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport 27-1 27-1 27-2 27-3 27-4 27-4 27-5 27-6 27-7 27-7 27-8 27-9 27-10 27-11 Chapter 28: Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp 28-1 28-2
Contents lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv mac-phy lldp dot3-tlv max-frame lldp dot3-tlv poe show lldp config show lldp info local-device show lldp info remote-device show lldp info statistics Chapter 33: Spanning Tree Commands spanning-tree spanning-
Contents Chapter 34: VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring IEEE 802.
Contents Priority Commands (Layer 3 and 4) map ip port (Global Configuration) map ip port (Interface Configuration) map ip precedence (Global Configuration) map ip precedence (Interface Configuration) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) show map ip port show map ip precedence show map ip dscp 35-7 35-7 35-8 35-8 35-9 35-10 35-10 35-11 35-12 35-13 Chapter 36: Quality of Service Commands class-map match rename description policy-map class set police service-policy show c
Contents ip domain-name ip domain-list ip name-server ip domain-lookup show hosts show dns show dns cache clear dns cache Chapter 39: DHCP Commands DHCP Client ip dhcp client-identifier ip dhcp restart client DHCP Relay ip dhcp restart relay ip dhcp relay server DHCP Server service dhcp ip dhcp excluded-address ip dhcp pool network default-router domain-name dns-server next-server bootfile netbios-name-server netbios-node-type lease host client-identifier hardware-address clear ip dhcp binding show ip dhcp
Contents clear vrrp router counters clear vrrp interface counters 40-10 40-10 Chapter 41: IP Interface Commands Basic IP Configuration ip address ip default-gateway show ip interface show ip redirects ping ipv6 enable ipv6 general-prefix show ipv6 general-prefix ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local show ipv6 interface ipv6 default-gateway show ipv6 default-gateway ipv6 mtu show ipv6 mtu show ipv6 traffic clear ipv6 traffic ping ipv6 ipv6 neighbor ipv6 nd dad att
Contents Routing Information Protocol (RIP) router rip default-metric timers basic network neighbor version redistribute ip rip receive version ip rip send version ip split-horizon ip rip authentication key ip rip authentication mode show rip globals show ip rip Open Shortest Path First (OSPF) router ospf router-id compatible rfc1583 default-information originate timers spf area range area default-cost summary-address redistribute network area area stub area nssa area virtual-link ip ospf authentication ip
Contents Section IV: Appendices Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases A-1 A-1 A-2 A-2 A-3 Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs B-1 B-1 B-2 Glossary Index xx
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 4-1 Table 5-1 Table 5-2 Table 6-1 Table 6-2 Table 8-1 Table 8-2 Table 8-3 Table 8-4 Table 10-4 Table 10-5 Table 10-9 Table 10-10 Table 13-1 Table 13-2 Table 13-3 Table 13-4 Table 19-1 Table 19-2 Table 19-3 Table 19-4 Table 19-5 Table 19-6 Table 20-1 Table 21-1 Table 21-2 Table 21-3 Table 21-4 Table 22-1 Table 23-1 Table 23-2 Table 23-3 Table 23-4 Table 23-5 Table 23-6 Table 23-7 Table 23-8 Table 23-9 Key Features System Defaults Web Page Configuration Bu
Tables Table 23-10 Table 23-11 Table 23-12 Table 23-13 Table 24-1 Table 24-2 Table 24-3 Table 24-4 Table 24-5 Table 25-1 Table 25-2 Table 25-3 Table 25-4 Table 25-5 Table 25-6 Table 25-7 Table 25-8 Table 25-9 Table 25-10 Table 25-11 Table 25-12 Table 25-13 Table 25-14 Table 26-1 Table 26-2 Table 26-3 Table 26-4 Table 26-5 Table 27-1 Table 27-2 Table 28-1 Table 28-2 Table 28-3 Table 28-4 Table 28-5 Table 29-1 Table 30-1 Table 31-1 Table 33-1 Table 33-2 Table 33-3 Table 34-1 Table 34-2 Table 34-3 Table 34-4 x
Tables Table 34-5 Table 34-7 Table 34-8 Table 35-1 Table 35-2 Table 35-3 Table 35-4 Table 35-5 Table 35-6 Table 36-1 Table 37-1 Table 37-2 Table 37-3 Table 37-4 Table 38-1 Table 38-2 Table 39-1 Table 39-2 Table 39-3 Table 39-4 Table 40-1 Table 40-2 Table 40-3 Table 40-4 Table 41-1 Table 41-2 Table 41-3 Table 41-4 Table 41-5 Table 41-6 Table 41-7 Table 42-1 Table 42-2 Table 42-3 Table 42-4 Table 42-5 Table 42-6 Table 42-7 Table 42-8 Table 42-9 Table 42-10 Table 42-11 Table 42-12 Table 42-13 Table 42-14 Comm
Tables Table 42-15 Table 42-16 Table 42-17 Table 42-18 Table 42-19 Table 42-20 Table B-1 xxiv show ip ospf network - display description show ip ospf router - display description show ip ospf summary - display description show ip ospf interface - display description show ip ospf neighbor - display description show ip ospf virtual-links - display description Troubleshooting Chart 42-46 42-47 42-48 42-49 42-50 42-51 B-1
Figures Figure 3-1 Figure 3-2 Figure 4-1 Figure 4-2 Figure 4-3 Figure 4-4 Figure 4-5 Figure 4-6 Figure 4-7 Figure 4-8 Figure 4-9 Figure 4-10 Figure 4-11 Figure 4-12 Figure 4-13 Figure 4-14 Figure 4-15 Figure 4-16 Figure 4-17 Figure 4-18 Figure 4-19 Figure 4-20 Figure 4-21 Figure 4-22 Figure 4-23 Figure 4-24 Figure 4-25 Figure 4-26 Figure 4-27 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 5-6 Figure 5-7 Figure 5-8 Figure 5-9 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Home Page Front Panel I
Figures Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10 Figure 6-11 Figure 6-12 Figure 6-13 Figure 7-1 Figure 7-2 Figure 7-3 Figure 7-4 Figure 7-5 Figure 7-6 Figure 7-7 Figure 8-1 Figure 8-2 Figure 8-3 Figure 8-4 Figure 8-5 Figure 8-6 Figure 8-7 Figure 8-8 Figure 8-9 Figure 8-10 Figure 8-11 Figure 8-12 Figure 9-1 Figure 9-2 Figure 9-3 Figure 10-1 Figure 10-2 Figure 10-3 Figure 10-6 Figure 10-7 Figure 10-8 Figure 10-11 Figure 11-1 Figure 11-2 Figure 11-3 Figure 11-4 Figure 11-5 Figure 11-6
Figures Figure 11-1 Figure 11-2 Figure 11-8 Figure 11-9 Figure 11-10 Figure 11-11 Figure 12-4 Figure 12-5 Figure 12-6 Figure 12-7 Figure 12-8 Figure 12-9 Figure 12-10 Figure 13-1 Figure 13-2 Figure 13-3 Figure 13-4 Figure 13-5 Figure 13-6 Figure 13-7 Figure 13-8 Figure 13-9 Figure 14-1 Figure 14-2 Figure 14-3 Figure 15-1 Figure 15-1 Figure 15-2 Figure 15-3 Figure 15-4 Figure 15-5 Figure 16-1 Figure 16-2 Figure 16-3 Figure 17-1 Figure 17-2 Figure 17-3 Figure 17-4 Figure 17-5 Figure 17-6 Figure 18-1 Figure 18
Figures Figure 19-2 Figure 19-3 Figure 19-4 Figure 19-5 Figure 19-6 Figure 19-7 Figure 19-8 Figure 19-9 Figure 19-10 Figure 19-11 Figure 19-12 Figure 19-13 Figure 20-1 Figure 20-2 Figure 20-3 Figure 20-4 Figure 20-5 Figure 20-6 Figure 20-7 Figure 20-8 Figure 20-9 Figure 20-10 Figure 20-11 Figure 20-12 Figure 20-13 Figure 20-14 Figure 20-15 Figure 20-16 Figure 20-17 Figure 20-18 xxviii IP Routing Interface ARP General ARP Static Addresses ARP Dynamic Addresses ARP Other Addresses ARP Statistics IP Statisti
Getting Started
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Traffic Prioritization Qualify of Service Up to 256 using IEEE 802.
Description of Software Features 1 Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. DHCP Server and DHCP Relay – A DHCP server is provided to assign IP addresses to host devices.
1 Introduction IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses. Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port.
Description of Software Features 1 • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. • Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.
1 Introduction remote network, the switch checks to see if it has the best route. If it does, it sends its own MAC address to the host. The host then sends traffic for the remote destination via the switch, which uses its own routing table to reach the destination on the other network. Quality of Service – Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis.
System Defaults 1 System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 4-24). The following table lists some of the basic system defaults.
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Port Configuration Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP (all por
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port Priority Disabled IP Settings Unicast Routing Management. VLAN Any VLAN configured with an IP address IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
1 1-10 Introduction
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-7.
2 Initial Configuration • • • • • • Configure Spanning Tree parameters Configure Class of Service (CoS) priority queuing Configure up to 6 static or LACP trunks per switch, up to 32 per stack Enable port mirroring Set broadcast storm control on any port Display system information and statistics • Configure any stack unit through the same IP address Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Stack Operations 2 Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IPv4 address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-7. Notes: 1.
2 Initial Configuration - If Master/Slave push button is depressed on more than one unit, the system will select the unit with the lowest MAC address from those with the push button depressed as the stack Master. - If Master/Slave push button is not depressed on any unit, the system will select the unit with the lowest MAC address as the stack Master. • When the stack is initially powered on, the Master unit is designated as unit 1 for a ring topology.
Stack Operations 2 two. The Stack Link LED on the unit that is no longer receiving traffic from the next unit up or down in the stack will begin flashing to indicate that the stack link is broken. When the stack fails, a Master unit is selected from the two stack segments, either the unit with the Master button depressed, or the unit with the lowest MAC address if the Master button is not depressed on any unit. The stack reboots and resumes operations.
2 Initial Configuration will operate in Special Stacking Mode in which all backup units are disabled as described below: • The master unit starts normal operation mode in standalone mode. • The master unit can see all units in the stack and maintain stack topology. • None of the other units can function (all ports will be disabled). • All user-initiated commands to configure the non-functioning units are dropped.
Basic Configuration 4. 2 The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level. Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
2 Initial Configuration Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment (if routing is not enabled on this switch). Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program. Note: An IPv4 address for this switch is obtained via DHCP by default.
2 Basic Configuration the undefined fields. For detailed information on the other ways to assign IPv6 addresses, see “Setting the Switch’s IP Address (IP Version 6)” on page 4-9. Link Local Address — All link-local addresses must be configured with a prefix of FE80. Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only.
2 Initial Configuration To generate an IPv6 global unicast address for the switch using a general network prefix, complete the following steps: 1. From the Global Configuration mode prompt, type “ipv6 general prefix prefix-name ipv6-prefix/prefix-length,” where the “prefix-name” is a label identifying the network segment, “ipv6-prefix” specifies the high-order bits of the network address, and “prefix length” indicates the actual number of bits used in the network prefix. Press . 2.
2 Basic Configuration Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be sent periodically in an effort to obtain IP configuration information. BOOTP and DHCP values can include the IP address, subnet mask, and default gateway.
2 Initial Configuration Obtaining an IPv6 Address Link Local Address — There are several ways to dynamically configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix of FE80). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. To generate an IPv6 link local address for the switch, complete the following steps: 1. 2.
2 Basic Configuration 2. From the interface prompt, type “ipv6 address autoconfig” and press . Console(config)#interface vlan 1 Console(config-if)#ipv6 address autoconfig Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
2 Initial Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
Managing System Files 2 Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
2 • Initial Configuration Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
Managing System Files 2 To save the current configuration settings, enter the following command: 1. 2. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press . Enter the name of the start-up file. Press . Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. 23-11 \Write to FLASH finish. Success.
2 2-18 Initial Configuration
Section II: Switch Management This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Basic Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . .
Switch Management
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Netscape 6.2, Mozilla Firefox 2.0.0.0, or more recent versions).
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator. Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Navigating the Web Browser Interface 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing Apply.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu SNTP Description Simple Network Time Protocol Page 4-36 Current Time Sets the time for the system clock 4-36 Configuration Configures SNTP client settings, including a list of servers 4-37 Time Zone Sets the local time zone for the system clock 4-39 Summer Time Configures summer-time settings 4-40 SNMP Simple Network Management Protocol 5-1 Configuration Configures community strings and related trap funct
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu IP Filter Description Configures IP addresses that are allowed management access Port Port Information Page 6-26 8-1 8-1 Displays port connection status 8-1 Port Configuration Displays trunk connection status 8-3 Trunk Configuration Configures port connection settings 8-3 Trunk Membership Configures trunk connection settings p into static trunks Specifies ports to grou 8-7 Allows ports to dynamically join trunks 8-8 Trun
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu Description Page Port Configuration Configures individual port settings for STA 10-13 Trunk Configuration Configures individual trunk settings for STA 10-13 MSTP Multiple Spanning Tree Algorithm VLAN Configuration Configures priority and VLANs for a spanning tree instance 10-16 Port Information Displays port settings for a specified MST instance 10-19 Trunk Information Displays trunk settings for a specifi
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description LLDP Page Link Layer Discovery Protocol 12-1 Configuration Configures global LLDP timing parameters 12-1 Port Configuration Configures parameters for individual ports 12-3 Trunk Configuration Configures parameters for trunks 12-3 Local Information Displays LLDP information about the local device 12-5 Remote Port Information Displays LLDP information about a remote device connected to a port on this switch
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu IGMP Snooping Description Internet Group Management Protocol – Snooping Page 15-2 IGMP Configuration Enables multicast filtering; configures parameters for multicast query 15-3 IGMP Immediate Leave Configures immediate leave for multicast services no longer required 15-5 Multicast Router Port Information Displays the ports that are attached to a neighboring multicast router for each VLAN ID 15-6 Static Multicast
3 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu ARP Description Address Resolution Protocol 19-8 General Sets the protocol timeout, and enables or disables proxy ARP for the specified VLAN Static Addresses Statically maps a physical address to an IP address 19-11 Dynamic Addresses Shows dynamically learned entries in the IP routing table 19-12 Other Addresses Shows internal addresses used by the switch 19-13 Statistics Shows statistics on ARP requests sent and received
Navigating the Web Browser Interface 3 Table 3-2 Switch Main Menu (Continued) Menu OSPF Description Page Open Shortest Path First 20-14 General Configuration Enables or disables OSPF; also configures the Router ID and various other global settings 20-15 Area Configuration Specifies rules for importing routes into each area 20-19 Area Range Configuration Configures route summaries to advertise at an area boundary 20-23 Interface Configuration Shows area ID and designated router; also configu
3 3-12 Configuring the Switch
Chapter 4: Basic Management Tasks This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location.
4 Basic Management Tasks Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 4-1 System Information CLI – Specify the hostname, location and contact information.
Displaying Switch Hardware/Software Versions 4 Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. • Number of Ports – Number of built-in ports. • Hardware Version – Hardware version of the main board.
4 Basic Management Tasks CLI – Use the following command to display version information. 23-8 Console#show version Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: 0000E8900001 R01 1.06 26 Up Not present Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.19.2.58 1.1.0.1 1.1.0.
Setting the Switch’s IP Address (IP Version 4) 4 Web – Click System, Bridge Extension. Figure 4-3 Displaying Bridge Extension Configuration CLI – Enter the following command.
4 Basic Management Tasks numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program. Command Usage • This section describes how to configure a single local interface for initial access to the stack. To configure multiple IP interfaces on this stack, you must set up an IP interface for each VLAN (page 19-4). • To enable routing between the different interfaces on this stack, you must enable IP routing (page 19-4).
Setting the Switch’s IP Address (IP Version 4) 4 Manual Configuration Web – Click IP, General, Routing Interface. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” and specify a “Primary” interface. Enter the IP address, and subnet mask, then click Apply. Figure 4-4 IPv4 Interface Configuration - Manual Click IP, Global Setting. If this stack and management stations exist on other network segments, then specify the default gateway, and click Apply.
4 Basic Management Tasks Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services. Web – Click IP, General, Routing Interface. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the stack will also broadcast a request for IP configuration settings on each power reset.
Setting the Switch’s IP Address (IP Version 6) 4 Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the stack is moved to another network segment, you will lose management access to the stack. In this case, you can reboot the stack or submit a client request to restart DHCP service via the CLI. Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface.
4 Basic Management Tasks • The switch must always be configured with a link-local address. Therefore any configuration process that enables IPv6 functionality, or assigns a global unicast address to the switch, will also automatically generate a link-local unicast address. The prefix length for a link-local address is fixed at 64 bits, and the host portion of the default address is based on the modified EUI-64 (Extended Universal Identifier) form of the interface identifier (i.e.
Setting the Switch’s IP Address (IP Version 6) 4 about the target address. If IP routing is disabled, you must define a gateway if the target device is located in a different subnet. • - If routing is enabled, you can still define a static route using the IP / Routing / Static Routes screen (see page 19-21) to ensure that traffic to the designated address or subnet passes through a preferred gateway.
4 Basic Management Tasks - A global unicast address can also be set by selecting a preconfigured general prefix for the network portion of the address from the Based on General Prefix scroll-down list and marking the check box next to this field to enable your choice (see “Configuring an IPv6 General Network Prefix” on page 4-15), and then specifying the address (in the IPv6 Address field) and the full network prefix length (e.g.
Setting the Switch’s IP Address (IP Version 6) 4 specification is designed for devices that use an extended 8-byte MAC address. For devices that still use a 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
4 Basic Management Tasks Web – Click System, IPv6 Configuration, IPv6 Configuration. Set the IPv6 default gateway, specify the VLAN to configure, enable IPv6, and set the MTU. Then enter a global unicast or link-local address and click Add IPv6 Address.
Setting the Switch’s IP Address (IP Version 6) 4 CLI – This example configures an IPv6 gateway, specifies the management interface, configures a global unicast address, and then sets the MTU.
4 Basic Management Tasks Follow the prefix by a forward slash and a decimal value indicating how many of the contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). Web – Click System, IPv6 Configuration, IPv6 General Prefix. Click Add to open the editing fields for a prefix entry. Enter a name for the general prefix, the value for the general prefix, and the prefix length. Then click Add to enable the entry.
Setting the Switch’s IP Address (IP Version 6) 4 Configuring Neighbor Detection Protocol and Static Entries IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks. IPv6 nodes on the same network segment use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
4 - Basic Management Tasks When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. Current Neighbor Cache Table • • IPv6 Address – IPv6 address of neighbor device. Age – The time since the address was verified as reachable (in minutes). A static entry is indicated by the value “Permanent.” • Link-layer Address – Physical layer MAC address. • State – The current state for an entry.
Setting the Switch’s IP Address (IP Version 6) 4 Web – Click System, IPv6 Configuration, IPv6 ND Neighbor. To configure the Neighbor Detection protocol settings, select a VLAN interface, set the number of attempts allowed for duplicate address detection, set the interval for neighbor solicitation messages, and click Apply. To configure static neighbor entries, click Add, fill in the IPv6 address, VLAN interface and hardware address. Then click Add.
4 Basic Management Tasks CLI – This example maps a static entry for a global unicast address to a MAC address. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#ipv6 nd ns-interval 30000 Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
4 Configuring Support for Jumbo Frames Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
4 • • • • Basic Management Tasks TFTP Server IP Address – The IP address of a TFTP server. File Type – Specify opcode (operational code) to copy firmware. File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Source/Destination Unit – Stack unit.
Managing Firmware 4 If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu. Figure 4-12 Setting the Startup Code To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted.
4 Basic Management Tasks To start the new firmware, enter the “reload” command or reboot the system. Console#copy tftp file TFTP server ip address: 10.1.0.19 Choose file type: 1. config: 2. opcode: <1-2>: 2 Source file name: V3.1.16.20.bix Destination file name: V311620 \Write to FLASH Programming. -Write to FLASH finish. Success.
Saving or Restoring Configuration Settings 4 Note: The maximum number of user-defined configuration files is limited only by available flash memory space. Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.
4 Basic Management Tasks CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
Console Port Settings 4 • Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None) • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port.
4 Basic Management Tasks CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
4 Telnet Settings 2 • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) • Login – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts.
4 Basic Management Tasks Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Configuring Event Logging 4 Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 4-18 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
4 Basic Management Tasks Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 4-19 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.
Configuring Event Logging 4 Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 4-20 Displaying Logs CLI – This example shows the event message stored in RAM. Console#show log ram 23-30 [10]01/01/2001 01:58:20 snmp:"Login Success,user:admin,WEB,ip:192.
4 Basic Management Tasks configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7) • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. • Email Destination Address List – Specifies the email recipients of alert messages.
Renumbering the Stack 4 CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
4 Basic Management Tasks Web – Click System, Renumbering. Figure 4-22 Renumbering the Stack CLI – This example renumbers all units in the stack. Console#switch all renumber Console# 23-2 Resetting the System Web – Click System, Reset. Click the Reset button to restart the switch. When prompted, confirm that you want reset the switch. Figure 4-23 Resetting the System CLI – Use the reload command to restart the switch.
Setting the System Clock 4 Setting the Current Time You can manually set the system clock if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Command Attributes • Hours – Hour in 24-hour format. (Range: 0 - 23) • Minutes – Minute. (Range: 0 - 59) • Seconds – Second. (Range: 0 - 59) • Month – Month. (Range: 1 - 12) • Day – Day of month. (Range: 1 - 31) • Year – Year (4-digit).
4 Basic Management Tasks Web – Select SNTP, Configuration. Modify any of the required SNTP parameters, and click Apply. To send an immediate request to the configured servers, click Update Time. Figure 4-25 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 16 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.
Setting the System Clock 4 Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Command Attributes • • Predefined – Configures the time zone using predefined settings.
4 Basic Management Tasks Configuring Summer Time Use the Summer Time page to set the system clock forward during the summer months (also known as daylight savings time). Command Usage In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
Setting the System Clock 4 Recurring Mode – Sets the start, end, and offset times of summer-time for the switch on a recurring basis. This mode sets the summer-time time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer-time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone. • Offset – Summer-time offset from the regular time zone, in minutes.
4 4-42 Basic Management Tasks
Chapter 5: Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
5 Simple Network Management Protocol Table 5-1 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defaultview none none Community string only v2c noAuthNoPriv private (read/writ
Setting Community Access Strings 5 Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes • SNMP Community Capability – The switch supports up to five community strings. • • Current – Displays a list of the community strings currently configured.
5 Simple Network Management Protocol Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
Specifying Trap Managers and Trap Types 5 Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. • Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. (Default: v1) • Trap Security Level – When trap version 3 is selected, you must specify one of the following security levels.
5 Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
Configuring SNMPv3 Management Access 5 Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
5 Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent.
Configuring SNMPv3 Management Access 5 Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, or notify view. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned.
5 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
Configuring SNMPv3 Management Access 5 Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
5 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. Figure 5-7 Configuring Remote SNMPv3 Users CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
Configuring SNMPv3 Management Access 5 Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of the SNMP group. (Range: 1-32 characters) • Model – The group security model; SNMP v1, v2c or v3.
5 Simple Network Management Protocol Table 5-2 Supported Notification Messages Object Label Object ID Description newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Configuring SNMPv3 Management Access 5 Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description Private Traps swPowerStatus ChangeTrap 1.3.6.1.4.1.202.20.57.84.2.1.0.1 swFanFailureTrap 1.3.6.1.4.1.202.20.57.84.2.1.0.17 This trap is sent when the fan fails. swFanRecoverTrap 1.3.6.1.4.1.202.20.57.84.2.1.0.18 This trap is sent when the fan failure has recovered. swIpFilterRejectTrap 1.3.6.1.4.1.202.20.57.84.2.1.0.
5 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Configuring SNMPv3 Management Access 5 Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-32 characters) • View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
5 Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active View Name: readaccess Subtree OID: 1.3.6.1.
Chapter 6: User Authentication You can restrict management access to this switch and provide secure network access using the following options: • • • • • • User Accounts – Manually configure management access rights for users. Authentication Settings – Use remote authentication to configure access rights. HTTPS Settings – Provide a secure web connection. SSH Settings – Provide a secure shell (for secure Telnet access). Port Security – Configure secure addresses for individual ports. 802.1X – Use IEEE 802.
6 User Authentication Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 6-1 User Accounts CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.
Configuring Local/Remote Logon Authentication 6 the network. An authentication server contains a database of multiple user name/ password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport.
6 • User Authentication TACACS Settings - Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.13) - Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Configuring HTTPS Console#show radius-server 6 25-8 Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config Console(config)#authentication login tacacs Console(config)#tacacs-server host 10.20.30.
6 • User Authentication The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 Mozilla Firefox 2.0.0.
Configuring HTTPS 6 Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site. This is because the certificate has not been signed by an approved certification authority.
6 User Authentication CLI – This example copies the certificate file from the designated TFTP server. Console#copy tftp https-certificate TFTP server ip address: Source certificate file name: Source private file name: Private password: 23-11 Note: The switch must be reset for the new certificate to be activated.
Configuring the Secure She 6 station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 519417467729848654686157177393901647793559423035774130980227370877945452 4083971752646358058176716709574804776117 3.
6 User Authentication d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e. The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated. Authenticating SSH v2 Clients a.
Configuring the Secure She 6 Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory). Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair. • Generate – This button is used to generate the host key pair.
6 User Authentication CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
Configuring the Secure She • • • 6 TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import. (Default: 0.0.0.0) Source File Name – The public key file to upload. Copy Public Key – Initiates the public key TFTP import process. If you are replacing an outdated public key file, it is not necessary to first delete the original key from the switch. The import process will overwrite the existing key.
6 User Authentication CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Note that public key authentication through SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2. DSA: <1-2>: 2 Source file name: admin-ssh2-dsa-pub.key Username: admin TFTP Download Success. Write to FLASH Programming. Success.
Configuring the Secure She 6 • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default: 768) - The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply.
6 User Authentication Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Configuring Port Security 6 Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 6-8 Port Security CLI – This example selects the target port, sets the port security action to send a trap and disable the port, specifies a maximum address count, and then enables port security for the port.
6 User Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
Configuring 802.1X Port Authentication • 6 The RADIUS server and client also have to support the same EAP authentication type – MD5. (Some clients have native support in Windows, otherwise the dot1x client must support it.) Displaying 802.1X Global Settings The 802.1X protocol provides port authentication. Command Attributes 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 6-9 802.
6 User Authentication Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 6-10 802.1X Global Configuration CLI – This example enables 802.
Configuring 802.1X Port Authentication • 6 Max Count – The maximum number of hosts that can connect to a port when the operation mode is set to Multi-Host. (Range: 1-1024; Default: 5) • Mode – Sets the authentication mode to one of the following options: - Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access. - Force-Authorized – Forces the port to grant access to all clients, either dot1x-aware or otherwise.
6 User Authentication Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 6-11 802.
Configuring 802.1X Port Authentication 6 CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 25-32.
6 User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Configuring 802.1X Port Authentication 6 Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 6-12 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4.
6 User Authentication Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Filtering IP Addresses for Management Access 6 Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 6-13 IP Filter CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.
6 6-28 User Authentication
Chapter 7: Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
7 Access Control Lists If the “TCP” protocol is specified, then you can also filter packets based on the TCP control code. - IPv6 Standard: IPv6 ACL mode that filters packets based on the source IPv6 address. - IPv6 Extended: IPv6 ACL mode that filters packets based on the destination IP address, as well as the type of the next header and the flow label (i.e., a request for special handling by IPv6 routers).
7 Configuring Access Control Lists Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 7-2 ACL Configuration - Standard IPv4 CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.
7 Access Control Lists • Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Source/Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match.
Configuring Access Control Lists 7 Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. Figure 7-3 ACL Configuration - Extended IPv4 CLI – This example adds three rules: 1.
7 Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
Configuring Access Control Lists 7 Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
7 • Access Control Lists Source Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IPv6-prefix). If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and the prefix length. Then click Add.
Configuring Access Control Lists 7 • Destination Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). • Next Header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet.
7 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Select the address type (Any or IPv6-prefix). If you select “IPv6-prefix,” enter a subnet address and prefix length. Set any other required criteria, such as next header, DSCP, or flow label. Then click Add. Figure 7-6 ACL Configuration - Extended IPv6 CLI – This example adds three rules: 1. 2. 3. Accepts any incoming packets for the destination 2009:DB9:2229::79/48.
Binding a Port to an Access Control List 7 Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can only bind a port to one ACL for each basic type – IPv4 ingress, MAC ingress, and IPv6 ingress. Command Usage • This switch supports ACLs for ingress filtering only. Command Attributes • Port – Fixed port, SFP module, or XFP module. (Range: 1-26/50) • IP – Specifies the IPv4 ACL to bind to a port.
7 7-12 Access Control Lists
Chapter 8: Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. • • • Type – Indicates the port type. (1000BASE-T, SFP, or 10G) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
8 Port Configuration Field Attributes (CLI) Basic information: • • Port type – Indicates the port type. (1000BASE-T, SFP, or 10G) MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address (IP Version 4)” on page 4-5.) Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.e., up or down). • Speed-duplex – Shows the current speed and duplex mode.
Configuring Interface Connections 8 CLI – This example shows the connection status for Port 5.
8 Port Configuration - 1000full - Supports 1 Gbps full-duplex operation 10Gfull - Supports 10 Gbps full-duplex operation Sym (Gigabit only) - Check this item to transmit and receive pause frames, or clear it to auto-negotiate the sender and receiver for asymmetric pause frames. (The current switch chip only supports symmetric pause frames.
Configuring Interface Connections 8 Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 8-2 Port - Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half .
8 Port Configuration Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices (i.e., single switch or a stack). You can create up to 32 trunks. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
Creating Trunk Groups 8 Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
8 Port Configuration CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk.
Creating Trunk Groups 8 Command Attributes • Member List (Current) – Shows configured trunks (Unit, Port). • New – Includes entry fields for creating new trunks. - Unit – Stack unit. (Range: 1-8) Port – Port identifier. (Range: 1-25/49) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
8 Port Configuration Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
Creating Trunk Groups 8 Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
8 Port Configuration CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. Console(config)#interface ethernet 1/1 27-1 Console(config-if)#lacp actor system-priority 3 28-4 Console(config-if)#lacp actor admin-key 120 28-5 Console(config-if)#lacp actor port-priority 128 28-6 Console(config-if)#exit . . .
Creating Trunk Groups 8 Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 8-1 Parameter LACP Port Counters Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
8 Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 8-2 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information.
Creating Trunk Groups 8 Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 8-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
8 Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 8-3 LACP Neighbor Configuration Information Field Partner Admin System ID Partner Oper System ID Description LAG partner’s system ID assigned by the user. LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
Setting Broadcast Storm Thresholds 8 CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
8 Port Configuration Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 8-9 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
Configuring Port Mirroring 8 Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage • • • Single target port Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
8 Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port. Note that default mirroring under the CLI is for both received and transmitted packets. Console(config)#interface ethernet 1/10 Console(config-if)#port monitor ethernet 1/13 Console(config-if)# 27-1 29-1 Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface.
Configuring Rate Limits 8 Web - Click Port, Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply. Figure 8-11 Rate Limit Configuration CLI - This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps.
8 Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
Showing Port Statistics 8 Table 8-4 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. Transmit Errors The number of outbound packets that could not be transmitted because of errors.
8 Port Configuration Table 8-4 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Showing Port Statistics 8 Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
8 Port Configuration CLI – This example shows statistics for port 12.
Chapter 9: Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
9 Address Table Settings Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 9-1 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Displaying the Address Table 9 Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 9-2 Dynamic Addresses CLI – This example also displays the address table entries for port 1.
9 Address Table Settings Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • • Aging Status – Enables/disables the aging function. Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 9-3 Address Aging CLI – This example sets the aging time to 400 seconds.
Chapter 10: Spanning Tree Algorithm The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
10 Spanning Tree Algorithm MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing.
Displaying Global Settings 10 Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
10 Spanning Tree Algorithm • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Displaying Global Settings 10 CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 0 VLANs Configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.
10 Spanning Tree Algorithm Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol 9 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Configuring Global Settings 10 address will then become the root device. (Note that lower numeric values indicate higher priority.) • • • Default: 32768 Range: 0-61440, in steps of 4096 Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. • Default: 2 • Minimum: 1 • Maximum: The lower of 10 or [(Max.
10 Spanning Tree Algorithm Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 33) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST. • • Region Revision Region Name 10 10 – The revision for this MSTI. (Range: 0-65535; Default: 0) – The name for this MSTI.
Configuring Global Settings 10 Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
10 Spanning Tree Algorithm CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
Displaying Interface Settings 10 • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
10 Spanning Tree Algorithm These additional parameters are only displayed for the CLI: • • Admin status – Shows if this interface is enabled. External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Internal path cost – The path cost for the MST.
Configuring Interface Settings 10 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin Status: Enabled Role: disable State: discarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 10000 Internal Oper Path Cost: 10000 Priority: 128 Designated Cost: 100000 Designated Port: 128.5 Designated Root: 32768.0.0001ECF8D8C6 Designated Bridge: 32768.0.
10 Spanning Tree Algorithm The following interface attributes can be configured: • • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Configuring Interface Settings 10 forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
10 Spanning Tree Algorithm Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region.
Configuring Multiple Spanning Trees 10 Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 10-7 MSTP VLAN Configuration CLI – This displays STA settings for instance 1, followed by settings for each port.
10 Spanning Tree Algorithm --------------------------------------------------------------Eth 1/ 7 information --------------------------------------------------------------Admin Status: Enabled Role: designate State: forwarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 10000 Internal Oper Path Cost: 10000 Priority: 128 Designated Cost: 0 Designated Port: 128.23 Designated Root: 32768.1.0000E8900000 Designated Bridge: 32768.1.
Displaying Interface Settings for MSTP 10 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,” page 10-10. Web – Click Spanning Tree, MSTP, Port Information or Trunk Information.
10 Spanning Tree Algorithm --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin Status: Enabled Role: designate State: forwarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 10000 Internal Oper Path Cost: 10000 Priority: 128 Designated Cost: 0 Designated Port: 128.23 Designated Root: 32768.0.0000E8900000 Designated Bridge: 32768.0.
Configuring Interface Settings for MSTP 10 Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
10 Spanning Tree Algorithm CLI – This example sets the MSTP attributes for port 4.
Chapter 11: VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
11 VLAN Configuration Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways.
IEEE 802.1Q VLANs 11 these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
11 VLAN Configuration Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.
IEEE 802.1Q VLANs 11 CLI – Enter the following command.
11 VLAN Configuration Command Attributes (CLI) • • • • • VLAN – ID of configured VLAN (1-4093, no leading zeroes). Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. Name – Name of the VLAN (1 to 32 characters). Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. Ports / Channel groups – Shows the VLAN interface members.
IEEE 802.1Q VLANs 11 Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 11-4 VLAN Static List - Creating VLANs CLI – This example creates a new VLAN. Console(config)#vlan database Console(config-vlan)#vlan 2 name R&D media ethernet state active Console(config-vlan)#end Console#show vlan VLAN ID: Type: Name: Status: Ports/Port Channels: . . .
11 VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
IEEE 802.1Q VLANs 11 CLI – The following example adds tagged and untagged ports to VLAN 2.
11 VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
IEEE 802.1Q VLANs 11 Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • 13 GARP LeaveAll Timer – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
11 VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
Configuring IEEE 802.1Q Tunneling 11 When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
11 3. 4. 5. VLAN Configuration After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
Configuring IEEE 802.1Q Tunneling 11 Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
11 VLAN Configuration Enabling QinQ Tunneling on the Switch The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. You can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. Command Usage • • Use the TPID field to set a custom 802.
11 Configuring IEEE 802.1Q Tunneling CLI – This example sets the switch to operate in QinQ mode. 34-15 34-16 Console(config)#dot1q-tunnel system-tunnel-control Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config)#exit Console#show dot1q-tunnel 34-17 Current double-tagged status of the system is Enabled The The The The The . . .
11 VLAN Configuration Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 11-2 Tunnel Port Configuration CLI – This example sets port 2 to tunnel access mode, and sets port 3 to tunnel uplink mode.
Configuring Private VLANs 11 Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function. Web – Click VLAN, Private VLAN, Status. Select Enable or Disable from the scroll-down box, and click Apply. Figure 11-8 Private VLAN Status CLI – This example enables private VLANs. Console(config)#pvlan Console(config)# 34-18 Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports.
11 VLAN Configuration CLI – This configures port 3 as an uplink and port 5 and 6 as downlinks.
Configuring Protocol-Based VLANs • 11 Protocol Type – The only option for the LLC_other frame type is IPX_raw. The options for all other frames types include: IP, IPv6, ARP, RARP, and user-defined (0801-FFFF hexadecimal). Web – Click VLAN, Protocol VLAN, Configuration. Enter a protocol group ID, frame type and protocol type, then click Apply. Figure 11-10 Protocol VLAN Configuration CLI – The following creates protocol group 1, and then specifies Ethernet frames with IP and ARP protocol types.
11 VLAN Configuration Command Attributes • • • Interface – Port or trunk identifier. Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4093) Web – Click VLAN, Protocol VLAN, Port Configuration. Select a a port or trunk, enter a protocol group ID, the corresponding VLAN ID, and click Apply.
Chapter 12: Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
12 • Link Layer Discovery Protocol Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. (Range: 1-10 seconds; Default: 2 seconds) When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. • Notification Interval – Configures the allowed interval for sending SNMP notifications about LLDP MIB changes.
Configuring LLDP Interface Attributes 12 CLI – This example several attributes which control basic LLDP message timing. Console(config)#lldp Console(config)#lldp refresh-interval 60 Console(config)#lldp holdtime-multiplier 10 Console(config)#lldp tx-delay 10 Console(config)#lldp reinit-delay 10 Console(config)#lldp notification-interval 30 Console(config)#exit Console#show lldp config 32-2 32-4 32-3 32-5 32-5 32-3 LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP . . .
12 Link Layer Discovery Protocol - System Description – The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. - Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Displaying LLDP Local Device Information 12 CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, and specifies the TLV parameters to advertise.
12 • Link Layer Discovery Protocol System Capabilities Supported – The capabilities that define the primary function(s) of the system. Table 12-2 System Capabilities ID Basis Reference Other — Repeater Bridge WLAN Access Point Router Telephone DOCSIS cable device End Station Only IETF RFC 2108 IETF RFC 2674 IEEE 802.11 MIB IETF RFC 1812 IETF RFC 2011 IETF RFC 2669 and IETF RFC 2670 IETF RFC 2011 • System Capabilities Enabled – The primary function(s) of the system which are currently enabled.
Displaying LLDP Local Device Information 12 Web – Click LLDP, Local Information. Figure 12-6 LLDP Local Device Information CLI – This example displays LLDP information for the local switch.
12 Link Layer Discovery Protocol This example displays detailed information for a specific port on the local switch.
Displaying LLDP Remote Information Details 12 CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP.
12 • Link Layer Discovery Protocol System Description – A textual description of the network entity. • System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 12-2, “System Capabilities,” on page 12-6.) • System Capabilities Enabled – The primary function(s) of the system which are currently enabled. Refer to the preceding table. (See Table 12-2, “System Capabilities,” on page 12-6.) • Management Address – The IPv4 address of the remote device.
Displaying Device Statistics 12 CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port this switch.
12 Link Layer Discovery Protocol Web – Click LLDP, Device Statistics. Figure 12-9 LLDP Device Statistics CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 32-18 LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 .
Displaying Detailed Device Statistics 12 Displaying Detailed Device Statistics Use the LLDP Device Statistics Details screen to display detailed statistics for LLDP-capable devices attached to specific interfaces on the switch. Field Attributes • Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV.
12 Link Layer Discovery Protocol CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port this switch.
Chapter 13: Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
13 Class of Service Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 13-1 Default Port Priority CLI – This example assigns a default priority of 5 to port 3.
Layer 2 Queue Settings 13 Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
13 Class of Service Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 13-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
Layer 2 Queue Settings 13 Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
13 Class of Service Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3, the traffic classes are mapped to one of the eight egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities).
Layer 3/4 Priority Settings 13 CLI – The following example shows how to assign WRR weights to each of the priority queues. Console(config)#queue bandwidth 1 3 5 7 9 11 13 15 Console(config)#exit Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight ------------0 1 1 3 2 5 3 7 4 9 5 11 6 13 7 15 Information of Eth 1/2 Queue ID Weight . . .
13 Class of Service Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 13-5 IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch.
Layer 3/4 Priority Settings 13 Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 13-6 IP Precedence Priority CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
13 Class of Service Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
Layer 3/4 Priority Settings 13 CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
13 Class of Service Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 13-9 IP Port Priority CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings.
Chapter 14: Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
14 Quality of Service Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. When the Class Configuration page opens, fill in the “Class Name” field, and click Add.
Configuring Quality of Service Parameters • IP Precedence – An IP Precedence value. (Range: 0-7) • VLAN – A VLAN. (Range:1-4093) • IPv6 DSCP – A DSCP value contained in an IPv6 packet. (Range: 0-63) 14 • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.
14 Quality of Service CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# 36-2 36-3 Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 14-2.
Configuring Quality of Service Parameters • 14 Add Policy – Opens the “Policy Configuration” page. Enter a policy name and description on this page, and click Add to open the “Policy Rule Settings” page. Enter the criteria used to service ingress traffic on this page. • Remove Policy – Deletes a specified policy. Policy Configuration • Policy Name — Name of policy map. (Range: 1-16 characters) • Description – A brief description of a policy map.
14 Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
Configuring Quality of Service Parameters 14 CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
14 14-8 Quality of Service
Chapter 15: Multicast Filtering Unicast Flow Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
15 Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query (page 15-3) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Layer 2 IGMP (Snooping and Query) 15 Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 15-9). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
15 Multicast Filtering • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired. (Range: 300-500 seconds, Default: 300) • IGMP Version — Sets the protocol version for compatibility with other devices on the network. (Range: 1-3; Default: 2) Notes: 1. All systems on the subnet must support the same version. 2.
Layer 2 IGMP (Snooping and Query) 15 Enabling IGMP Immediate Leave The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the immediate-leave function is enabled for the parent VLAN. This allows the switch to remove a port from the multicast forwarding table without first having to send an IGMP group-specific query to that interface.
15 Multicast Filtering CLI – This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status.
Layer 2 IGMP (Snooping and Query) 15 CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------1 Eth 1/11 Static Console# 37-10 Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier.
15 Multicast Filtering Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4093) • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
Layer 2 IGMP (Snooping and Query) 15 Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 15-3. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
15 15-10 Multicast Filtering
Chapter 16: Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
16 Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 16-1 DNS General Configuration CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.
Configuring Static DNS Host to Address Entries 16 Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. • Servers or other network devices may support one or more connections via multiple IP addresses.
16 Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 16-2 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.
Displaying the DNS Cache 16 Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. • Type – This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry.
16 16-6 Domain Name Service
Chapter 17: Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up. If a subnet does not already include a BOOTP or DHCP server, you can relay DHCP client requests to a DHCP server on another subnet, or configure the DHCP server on this switch to support that subnet.
17 Dynamic Host Configuration Protocol Web – Click DHCP, Relay Configuration. Enter up to five IP addresses for any VLAN, then click Restart DHCP Relay to start the relay service. Figure 17-1 DHCP Relay Configuration CLI – This example specifies one DHCP relay server for VLAN 1, and enables the relay service. Console(config)#interface vlan 1 Console(config-if)#ip dhcp relay server 10.1.0.
Configuring the DHCP Server 17 Command Usage • • First configure any excluded addresses, including the address for this switch. Then configure address pools for the network interfaces. You can configure up to 8 network address pools. You can also manually bind an address to a specific client if required. However, any fixed addresses must fall within the range of an existing network address pool. You can configure up to 32 fixed host addresses (i.e., entering one address per pool).
17 Dynamic Host Configuration Protocol CLI – This example enables the DHCP and sets an excluded address range. Console(config)#service dhcp Console(config)#ip dhcp excluded-address 10.1.0.250 10.1.0.254 Console# 39-5 39-6 Configuring Address Pools You must configure IP address pools for each IP interface that will provide addresses to attached clients via the DHCP server. Command Usage • First configure address pools for the network interfaces.
Configuring the DHCP Server • 17 Configure – Click this button to configure the corresponding address pool. Setting the Network Parameters • IP – The IP address of the DHCP address pool. • Subnet Mask – The bit combination that identifies the network (or subnet) and the host portion of the DHCP address pool. Setting the Host Parameters • IP – The IP address of the DHCP address pool. • Subnet Mask – Specifies the network mask of the client.
17 Dynamic Host Configuration Protocol Examples Creating a New Address Pool Web – Click DHCP, Server, Pool Configuration. Specify a pool name, then click Add. Figure 17-3 DHCP Server Pool Configuration CLI – This example adds an address pool and enters DHCP pool configuration mode.
Configuring the DHCP Server 17 Configuring a Network Address Pool Web – Click DHCP, Server, Pool Configuration. Click the Configure button for any entry. Click the radio button for “Network.” Enter the IP address and subnet mask for the network pool. Configure the optional parameters such as gateway server and DNS server. Then click Apply. Figure 17-4 DHCP Server Pool - Network Configuration CLI – This example configures a network address pool.
17 Dynamic Host Configuration Protocol Configuring a Host Address Pool Web – Click DHCP, Server, Pool Configuration. Click the Configure button for any entry. Click the radio button for “Host.” Enter the IP address, subnet mask, and hardware address for the client device. Configure the optional parameters such as gateway server and DNS server. Then click Apply. Figure 17-5 DHCP Server Pool - Host Configuration CLI – This example configures a host address pool.
Configuring the DHCP Server 17 Displaying Address Bindings You can display the host devices which have acquired an IP address from this switch’s DHCP server. Command Attributes • IP Address – IP address assigned to host. • Mac Address – MAC address of host. • Lease time – Duration that this IP address can be used by the host. • Start time – Time this address was assigned by the switch. • • Delete – Clears this binding to the host.
17 17-10 Dynamic Host Configuration Protocol
Chapter 18: Configuring Router Redundancy Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
18 • Configuring Router Redundancy Several virtual master routers configured for mutual backup and load sharing. Load sharing can be accomplished by assigning a subset of addresses to different host address pools using the DHCP server. (See “Configuring Address Pools” on page 17-4.) Router 1 Router 2 VRID 23 (Master) IP(R1) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VRID 23 (Backup) IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 VR Priority = 100 VRID 25 (Backup) IP(R1) = 192.168.1.
Virtual Router Redundancy Protocol 18 where the configured priority is the same on several group members, then the master router with the highest IP address is selected from this group. • If you have multiple secondary addresses configured on the current VLAN interface, you can add any of these addresses to the virtual router group. • The interfaces of all routers participating in a virtual router group must be within the same IP subnet.
18 Configuring Router Redundancy Command Attributes (VRRP Group Configuration Detail) • Associated IP Table – IP interfaces associated with this virtual router group. • Associated IP – IP address of the virtual router, or secondary IP addresses assigned to the current VLAN interface that are supported by this VRRP group. If this address matches a real interface on this switch, then this interface will become the virtual master router for this VRRP group.
Virtual Router Redundancy Protocol 18 Web – Click IP, VRRP, Group Configuration. Select the VLAN ID, enter the VRID group number, and click Add.
18 Configuring Router Redundancy Click the Edit button for a group entry to open the detailed configuration window. Enter the IP address of a real interface on this router to make it the master virtual router for the group. Otherwise, enter the virtual address for an existing group to make it a backup router, or to compete as the master based on configured priority if no other members are set as the owner of the group address. Click Add IP to enter an IP address into the Associated IP Table.
Virtual Router Redundancy Protocol 18 CLI – This example creates VRRP group 1, sets this switch as the master virtual router by assigning the primary interface address for the selected VLAN to the virtual IP address. It then adds a secondary IP address to the VRRP group, sets all of the other VRRP parameters, and then displays the configured settings. Console(config)#interface vlan 1 Console(config-if)#vrrp 1 ip 192.168.1.6 Console(config-if)#vrrp 1 ip 192.168.2.
18 Configuring Router Redundancy CLI – This example displays counters for protocol errors for all the VRRP groups configured on this switch. Console#show vrrp router counters VRRP Packets with Invalid Checksum : 0 VRRP Packets with Unknown Error : 0 VRRP Packets with Invalid VRID : 0 Console# 40-9 Displaying VRRP Group Statistics The VRRP Group Statistics page displays counters for VRRP protocol events and errors that have occurred on a specific VRRP interface.
Virtual Router Redundancy Protocol 18 Web – Click IP, VRRP, Group Statistics. Select the VLAN and virtual router group. Figure 18-4 VRRP Group Statistics CLI – This example displays VRRP protocol statistics for group 1, VLAN 1.
18 18-10 Configuring Router Redundancy
Chapter 19: IP Routing Overview This switch supports IP routing and routing path management via static routing definitions (page 19-21) and dynamic routing protocols such as RIP or OSPF (page 20-2 or 20-14, respectively). When IP routing is enabled (page 19-4), this switch acts as a wire-speed router, passing traffic between VLANs with different IP interfaces, and routing traffic to external IP networks.
19 IP Routing Each VLAN represents a virtual interface to Layer 3. You just need to provide the network address for each virtual interface, and the traffic between different subnetworks will be routed by Layer 3 switching.
IP Switching 19 not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node). The router will then forward the packet to the destination node through the correct path. The router can also use the ARP protocol to find out the MAC address of the destination node of the next router as necessary.
19 IP Routing Routing Protocols The switch supports both static and dynamic routing. • Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. • Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
Configuring IP Routing Interfaces 19 Web - Click IP, General, Global Settings. Set IP Routing Status to Disabled to restrict operation to Layer 2, or Enabled to allow multilayer switching, specify the default gateway which will be forwarded packets for all unknown subnets, and click Apply. Figure 19-1 IP Global Settings CLI - This example enables IP routing, and sets the default gateway. Console(config)#ip routing Console(config)#ip route default 10.1.0.
19 IP Routing • Before you configure any network interfaces on this router, you should first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs. • An IP address must be assigned to gain management access over the network or to connect the switch to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server.
Configuring IP Routing Interfaces 19 Web - Click IP, General, Routing Interface. Specify an IP interface for each VLAN that will support routing to other subnets. First specify a primary address, and click Set IP Configuration. If you need to assign secondary addresses, enter these addresses one at a time, and click Set IP Configuration after entering each address.
19 IP Routing Address Resolution Protocol If IP routing is enabled (page 19-4), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this router (or any standards-based router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
Address Resolution Protocol 19 Basic ARP Configuration You can use the ARP General configuration menu to specify the timeout for ARP cache entries, or to enable Proxy ARP for specific VLAN interfaces. Command Usage Proxy ARP When a node in the attached subnetwork does not have routing or a default gateway configured, Proxy ARP can be used to forward ARP requests to a remote subnetwork.
19 IP Routing Web - Click IP, ARP, General. Set the timeout to a suitable value for the ARP cache, enable Proxy ARP for subnetworks that do not have routing or a default gateway, and click Apply. Figure 19-3 ARP General CLI - This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds), and enables Proxy ARP for VLAN 3.
Address Resolution Protocol 19 Configuring Static ARP Addresses For devices that do not respond to ARP requests or do not respond in a timely manner, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, you can manually map an IP address to the corresponding physical address in the ARP cache. Command Usage • • The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (that is, Media Access Control) addresses.
19 IP Routing CLI - This example sets a static entry for the ARP cache. Console(config)#arp 10.1.0.11 00-11-22-33-44-55 Console(config)#exit Console#show arp Arp cache timeout: 1200 (seconds) 41-32 IP Address MAC Address Type Interface --------------- ----------------- --------- ----------192.168.0.4 00-E0-29-94-34-1C dynamic 1 10.1.0.
Address Resolution Protocol 19 Web - Click IP, ARP, Dynamic Addresses. You can use the buttons provided to change a dynamic entry to a static entry, or to clear all dynamic entries in the cache. Figure 19-5 ARP Dynamic Addresses CLI - This example shows all entries in the ARP cache. Console#show arp Arp cache timeout: 1200 (seconds) 41-34 IP Address MAC Address Type Interface --------------- ----------------- --------- ----------10.1.0.0 ff-ff-ff-ff-ff-ff other 1 10.1.0.
19 IP Routing Web - Click IP, ARP, Other Addresses. Figure 19-6 ARP Other Addresses CLI - This router uses the Type specification “other” to indicate local cache entries in the ARP cache. 41-34 Console#show arp Arp cache timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------10.1.0.0 ff-ff-ff-ff-ff-ff other 1 1 10.1.0.11 00-11-22-33-44-55 static 1 10.1.0.12 01-02-03-04-05-06 static 1 10.1.0.19 00-10-b5-62-03-74 dynamic 1 10.1.0.
Address Resolution Protocol 19 Web - Click IP, ARP, Statistics. Figure 19-7 ARP Statistics CLI - This example provides detailed statistics on common IP-related protocols.
19 IP Routing Displaying Statistics for IP Protocols IP Statistics The Internet Protocol (IP) provides a mechanism for transmitting blocks of data (often called packets or frames) from a source to a destination, where these network devices (i.e., hosts) are identified by fixed length addresses. The Internet Protocol also provides for fragmentation and reassembly of long packets, if necessary, for transmission through “small packet” networks.
Displaying Statistics for IP Protocols 19 Table 19-3 IP Statistics (Continued) Parameter Description Routing Discards The number of routing entries which were chosen to be discarded even though they are valid. One possible reason for discarding such an entry could be to free-up buffer space for other routing entries. Reassembly Successful Datagrams Successfully Fragmented The number of datagrams successfully re-assembled.
19 IP Routing Table 19-4 ICMP Statistics (Continued) Parameter Description Destination Unreachable The number of ICMP Destination Unreachable messages received/sent. Time Exceeded The number of ICMP Time Exceeded messages received/sent. Parameter Problems The number of ICMP Parameter Problem messages received/sent. Source Quenches The number of ICMP Source Quench messages received/sent. Redirects The number of ICMP Redirect messages received/sent.
Displaying Statistics for IP Protocols 19 UDP Statistics User Datagram Protocol (UDP) provides a datagram mode of packet-switched communications. It uses IP as the underlying transport mechanism, providing access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
19 IP Routing TCP Statistics The Transmission Control Protocol (TCP) provides highly reliable host-to-host connections in packet-switched networks, and is used in conjunction with IP to support a wide variety of Internet protocols. Table 19-6 TCP Statistics Parameter Description Segments Received The total number of segments received, including those received in error. This count includes segments received on currently established connections.
Configuring Static Routes 19 Configuring Static Routes This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP or OSPF). However, you can also manually enter static routes in the routing table. Static routes may be required to access network segments where dynamic routing is not supported, or can be set to force the use of a specific route to a subnet, rather than using dynamic routing.
19 IP Routing Web - Click IP, Routing, Static Routes. Figure 19-12 IP Static Routes CLI - This example forwards all traffic for subnet 192.168.1.0 to the router 192.168.5.254, using the default metric of 1. Console(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.254 Console(config)# 42-2 Displaying the Routing Table You can display all the routes that can be accessed via the local network interfaces, through static routes, or through a dynamically learned route.
Displaying the Routing Table 19 Web - Click IP, Routing, Routing Table. Figure 19-13 IP Routing Table CLI - This example shows routes obtained from various methods. Console#show ip route 42-3 Ip Address Netmask Next Hop Protocol Metric Interface --------------- --------------- --------------- -------- ------ --------0.0.0.0 0.0.0.0 static 1 1 10.1.0.254 10.1.0.0 255.255.255.0 local 1 1 10.1.0.253 10.1.0.254 RIP 2 10.1.1.0 255.255.255.
19 19-24 IP Routing
Chapter 20: Unicast Routing This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol. It supports RIP, RIP-2 or OSPFv2 dynamic routing. These protocols exchange routing information, calculate routing tables, and can respond to changes in the status or loading of the network. RIP and RIP-2 Dynamic Routing Protocols The RIP protocol is the most widely used routing protocol.
20 Unicast Routing Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Configuring the Routing Information Protocol 20 Configuring General Protocol Settings RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
20 Unicast Routing Web - Click Routing Protocol, RIP, General Settings. Enable or disable RIP, set the RIP version used on previously unset interfaces to RIPv1 or RIPv2, set the basic update timer, and then click Apply. Figure 20-1 RIP General Settings CLI - This example sets the router to use RIP Version 2, and sets the basic timer to 15 seconds.
Configuring the Routing Information Protocol 20 Specifying Network Interfaces for RIP You must specify network interfaces that will be included in the RIP routing process. Command Usage • RIP only sends updates to interfaces specified by this command. Command Attributes • Subnet Address – IP address of a network directly connected to this router. Subnet addresses are interpreted as class A, B or C, based on the first field in the specified address. In other words, if a subnet address nnn.xxx.xxx.
20 Unicast Routing Configuring Network Interfaces for RIP For each interface that participates in the RIP routing process, you must specify the protocol message type accepted (i.e., RIP version) and the message type sent (i.e., RIP version or compatibility mode), the method for preventing loopback of protocol messages, and whether or not authentication is used (i.e., authentication only applies if RIPv2 messages are being sent or received).
Configuring the Routing Information Protocol 20 Protocol Message Authentication RIPv1 is not a secure protocol. Any device sending protocol messages from UDP port 520 will be considered a router by its neighbors. Malicious or unwanted protocol messages can be easily propagated throughout the network if no authentication is required. RIPv2 supports authentication via a simple password or MD5 key encryption.
20 • Unicast Routing Authentication Type – Specifies whether or not authentication is required for exchanging protocol messages. (Default: No Authentication) - No Authentication: No authentication is required. - Simple Password: Requires the interface to exchange routing information with other routers based on an authorized password. (Note that authentication only applies to RIPv2.) - MD5: Message Digest 5 (MD5) authentication.
Configuring the Routing Information Protocol 20 Redistributing Routing Information from Other Domains RIP can be configured to import external routing information from other routing domains (that is, protocols or static routes) into the autonomous system. Command Attributes • Redistribute Protocol – Only static routes can be imported into this routing domain. • Redistribute Metric – Metric value assigned to all external routes for the specified protocol.
20 Unicast Routing Web - Click Routing Protocol, RIP, Redistribute Configuration. Enter the redistribution metric for static routes, and click Set. Figure 20-4 RIP Redistribution Configuration CLI - This example redistributes static routes and sets the metric for all of these routes to a value of 3.
Configuring the Routing Information Protocol 20 Displaying RIP Information and Statistics You can display basic information about the current global configuration settings for RIP, statistics about route changes and queries, information about the interfaces on this router that are using RIP, and information about known RIP peer devices. Table 20-1 RIP Information and Statistics Parameter Description Globals RIP Routing Process Indicates if RIP has been enabled or disabled.
20 Unicast Routing Web - Click Routing Protocol, RIP, Statistics.
Configuring the Routing Information Protocol 20 CLI - The information displayed by the RIP Statistics screen via the web interface can be accessed from the CLI using the following commands. Console#show rip globals 42-16 RIP Process: Enabled Update Time in Seconds: 30 Number of Route Change: 4 Number of Queries: 0 Console#show ip rip configuration 42-16 Interface SendMode ReceiveMode Poison Authentication --------------- --------------- ------------- -------------- -----------------10.1.0.
20 Unicast Routing Configuring the Open Shortest Path First Protocol Open Shortest Path First (OSPF) is more suited for large area networks which experience frequent changes in the links. It also handles subnets much better than RIP. OSPF protocol actively tests the status of each link to its neighbors to generate a shortest path tree, and builds a routing table based on this information. OSPF then utilizes IP multicast to propagate routing information.
Configuring the Open Shortest Path First Protocol • 20 OSPFv2 is a compatible upgrade to OSPF. It involves enhancements to protocol message authentication, and the addition of a point-to-multipoint interface which allows OSPF to run over non-broadcast networks, as well as support for overlapping area ranges. • When using OSPF, you must organize your network (i.e.
20 • • Unicast Routing 21 Area Border Router – Indicates if this router connects directly to networks in two or more areas. An area border router runs a separate copy of the Shortest Path First algorithm, maintaining a separate routing database for each area. backbone ABR area, stub, NSSA 22 AS Boundary Router Autonomous System Boundary Router – Allows this router to exchange routing information AS 1 AS 2 ASBR ASBR with boundary routers in other autonomous systems to which it may be attached.
Configuring the Open Shortest Path First Protocol 20 22 • Advertise Default Route – The router can advertise a default external route into the autonomous system (AS). (Options: NotAlways, Always; Default: NotAlways) • Always – The router will advertise itself as a default external route for the local AS, even if a default external route does not actually exist. (To define a default route, see “Configuring Static Routes” on page 19-21.
20 Unicast Routing Web - Click Routing Protocol, OSPF, General Configuration. Enable OSPF, specify the Router ID, configure the other global parameters as required, and click Apply. Figure 20-6 OSPF General Configuration CLI - This example configures the router with the same settings as shown in the screen capture for the web interface. Console(config)#router ospf Console(config-router)#router-id 10.1.1.
Configuring the Open Shortest Path First Protocol 20 Configuring OSPF Areas OSPF protocol broadcast messages (that is, Link State Advertisements or LSAs) are restricted by area to limit their impact on network performance. A large network should be split up into separate OSPF areas to increase network stability, and to reduce protocol traffic by summarizing routing information into more compact messages.
20 Unicast Routing NSSA – A not-so-stubby area (NSSA) can be configured to control the use of default routes for Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs), or external routes learned from other routing domains and imported through an ABR. An NSSA is similar to a stub.
Configuring the Open Shortest Path First Protocol 20 Command Usage • Before you create the backbone, a stub or NSSA, first specify the address range for the area using the Network Area Address Configuration screen (page 20-31). • Stubs and NSSAs cannot be used as a transit area, and should therefore be placed at the edge of the routing domain. • A stub or NSSA can have multiple ABRs or exit points.
20 Unicast Routing Web - Click Routing Protocol, OSPF, Area Configuration. Set any area to a stub or NSSA as required, specify the cost for the default summary route sent into a stub, and click Apply. Figure 20-7 OSPF Area Configuration CLI - This example configures area 0.0.0.1 as a normal area, area 0.0.0.2 as a stub, and area 0.0.0.3 as an NSSA. It also configures the router to propagate a default summary route into the stub and sets the cost for this default route to 10.
Configuring the Open Shortest Path First Protocol Console#show ip ospf Routing Process with ID 192.168.1.253 Supports only single TOS(TOS0) route Number of area in this router is 3 Area 0.0.0.0 (BACKBONE) Number of interfaces in this area is 1 SPF algorithm executed 40 times Area 0.0.0.2 (STUB) Number of interfaces in this area is 1 SPF algorithm executed 8 times Area 0.0.0.
20 Unicast Routing Note: This router supports up 64 summary routes for area ranges. Web - Click Routing Protocol, OSPF, Area Range Configuration. Specify the area identifier, the base address and network mask, select whether or not to advertise the summary route to other areas, and then click Apply. Figure 20-8 OSPF Range Configuration CLI - This example summarizes all the routes for area 1. Note that the default for the area range command is to advertise the route summary.
Configuring the Open Shortest Path First Protocol 20 Configuring OSPF Interfaces You should specify a routing interface for any local subnet that needs to communicate with other network segments located on this router or elsewhere in the network. First configure a VLAN for each subnet that will be directly connected to this router, assign IP interfaces to each VLAN (i.e.
20 Unicast Routing estimating this delay. Set the transmit delay according to link speed, using larger values for lower-speed links. If this delay is not added, the time required to transmit an LSA over the link is not taken into consideration by the routing process. On slow links, the router may send packets more quickly than devices can receive them. To avoid this problem, you can use the transmit delay to force the router to wait a specified interval between transmissions.
Configuring the Open Shortest Path First Protocol 20 When using simple password authentication, a password is included in the packet. If it does not match the password configured on the receiving router, the packet is discarded. This method provides very little security as it is possible to learn the authentication key by snooping on routing protocol packets.
20 Unicast Routing Web - Click Routing Protocol, OSPF, Interface Configuration. Select the required interface from the scroll-down box, and click Detailed Settings. Figure 20-9 OSPF Interface Configuration Change any of the interface-specific protocol parameters, and then click Apply.
Configuring the Open Shortest Path First Protocol 20 CLI - This example configures the interface parameters for VLAN 1.
20 Unicast Routing Note: This router supports up 64 virtual links. Web - Click Routing Protocol, OSPF, Virtual Link Configuration. To create a new virtual link, specify the Area ID and Neighbor Router ID, configure the link attributes, and click Add. To modify the settings for an existing link, click the Detail button for the required entry, modify the link settings, and click Set. Figure 20-11 OSPF Virtual Link Configuration CLI - This example configures a virtual link from the ABR adjacent to area 0.
Configuring the Open Shortest Path First Protocol 20 Configuring Network Area Addresses OSPF protocol broadcast messages (i.e., Link State Advertisements or LSAs) are restricted by area to limit their impact on network performance. A large network should be split up into separate OSPF areas to increase network stability, and to reduce protocol traffic by summarizing routing information into more compact messages.
20 Unicast Routing Web - Click Routing Protocol, OSPF, Network Area Address Configuration. Configure a backbone area that is contiguous with all the other areas in your network, configure an area for all of the other OSPF interfaces, then click Apply.
Configuring the Open Shortest Path First Protocol 20 CLI - This example configures the backbone area and one transit area. Console(config-router)#network 10.0.0.0 255.0.0.0 area 0.0.0.0 Console(config-router)#network 10.1.1.0 255.255.255.0 area 0.0.0.1 Console(config-router)#end Console#show ip ospf Routing Process with ID 10.1.1.253 Supports only single TOS(TOS0) route Number of area in this router is 4 Area 0.0.0.0 (BACKBONE) Number of interfaces in this area is 1 SPF algorithm executed 8 times Area 0.
20 Unicast Routing Web - Click Routing Protocol, OSPF, Summary Address Configuration. Specify the base address and network mask, then click Add. Figure 20-13 OSPF Summary Address Configuration CLI - This example This example creates a summary address for all routes contained in 192.168.x.x. Console(config-router)#summary-address 192.168.0.0 255.255.0.
Configuring the Open Shortest Path First Protocol 20 Redistributing External Routes You can configure this router to import external routing information from other routing protocols or static routes into the autonomous system, and to generate AS-external-LSAs. Router ASBR OSPF AS RIP, or static routes Command Usage • This router supports redistribution for entries learned through RIP, and static routes.
20 Unicast Routing Web - Click Routing Protocol, OSPF, Redistribute. Specify the protocol type to import, the metric type and path cost, then click Add. Figure 20-14 OSPF Redistribute Configuration CLI - This example redistributes routes learned from RIP as Type 1 external routes.
Configuring the Open Shortest Path First Protocol 20 Information option. However, an NSSA is different from a stub, because when the router is an ASBR, it can import a default external AS route (for routing protocol domains adjacent to the NSSA but not within the OSPF AS) into the NSSA using this option. • No Redistribution – Use this option when the router is an NSSA Area Border Router (ABR) and routes only need to be imported into normal areas (page 20-35), but not into the NSSA.
20 Unicast Routing Displaying Link State Database Information OSPF routers advertise routes using Link State Advertisements (LSAs). The full collection of LSAs collected by a router interface from the attached area is known as a link state database. Routers that are connected to multiple interfaces will have a separate database for each area. Each router in the same area should have an identical database describing the topology for that area, and the shortest path to external destinations.
Configuring the Open Shortest Path First Protocol 20 Web - Click Routing Protocol, OSPF, Link State Database Information. Specify parameters for the LSAs you want to display, then click Query. Figure 20-16 OSPF Link State Database Information CLI - The CLI provides a wider selection of display options for viewing the Link State Database. See “show ip ospf database” on page 42-41.
20 Unicast Routing Displaying Information on Border Routers You can display entries in the local routing table for Area Border Routers (ABR) and Autonomous System Boundary Routers (ASBR) known by this device. Field Attributes • • • • • Destination – Identifier for the destination router. Next Hop – IP address of the next hop toward the destination. Cost – Link metric for this route. Type – Router type of the destination; either ABR, ASBR or both.
Configuring the Open Shortest Path First Protocol 20 Displaying Information on Neighbor Routers You can display about neighboring routers on each interface within an OSPF area. Field Attributes • ID – Neighbor’s router ID. • Priority – Neighbor’s router priority. • State – OSPF state and identification flag.
20 20-42 Unicast Routing
Section III:Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . 21-1 General Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-1 System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-1 SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . .
Command Line Interface
Chapter 21: Overview of the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
21 Overview of the Command Line Interface For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the stack through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Entering Commands 21 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
21 Overview of the Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, DHCP, Interface, Line, Router, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Entering Commands 21 The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information protocol-vlan Protocol-vlan status Information switchport Information Console# of interfaces counters information of interfaces status of interfaces switchport Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.
21 Overview of the Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 21 Username: guest Password: [guest login password] CLI session with the 24/48 L3 GE Switch is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
21 Overview of the Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Entering Commands 21 Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
21 Overview of the Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below.
Command Groups 21 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) DC (DHCP Server Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) RC (Router Configuration) VC (VLAN Database Configuration) 21-11
21 21-12 Overview of the Command Line Interface
Chapter 22: General Commands These commands are used to control the command access mode, configuration mode, and other basic functions.
22 • General Commands The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (22-2) enable password (25-3) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
show history 22 Example Console#configure Console(config)# Related Commands end (22-4) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
22 General Commands reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system.
exit 22 Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
22 General Commands Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 22-6
Chapter 23: System Management Commands These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
23 System Management Commands Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# switch renumber This command resets the switch unit identification numbers in the stack. All stack members are numbered sequentially starting from the top unit for a non-loop stack, or starting from the Master unit for a looped stack. Syntax switch all renumber Default Setting • • For non-loop stacking, the top unit is unit 1. For loop stacking, the master unit is unit 1.
System Status Commands 23 System Status Commands This section describes commands used to display system information.
23 System Management Commands Example Console#show startup-config building startup-config, please wait.....
System Status Commands 23 show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
23 System Management Commands Example Console#show running-config building running-config, please wait.....
System Status Commands 23 show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance.
23 System Management Commands show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Frame Size Commands 23 Example Console#show version Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: 0000E8900001 R01 1.06 26 Up Not present Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.19.2.58 1.1.0.1 1.1.0.2 Console# Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch.
23 System Management Commands connections, all devices in the collision domain would need to support jumbo frames. • The current setting for jumbo frames can be displayed with the show system command (page 23-7). Example Console(config)#jumbo frame Console(config)# Related Commands show ipv6 mtu (41-19) File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server.
File Management Commands 23 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
23 System Management Commands • Use the copy file unit command to copy a local file to another switch in the stack. Use the copy unit file command to copy a file from another switch in the stack. • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” on page 6-7.
File Management Commands 23 The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
23 System Management Commands Command Mode Privileged Exec Command Usage • • • If the file type is used for system startup, then this file cannot be deleted. “Factory_Default_Config.cfg” cannot be deleted. A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (23-14) delete public-key (25-20) dir This command displays a list of files in flash memory.
File Management Commands • 23 File information is shown below: Table 23-6 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
23 System Management Commands boot system This command specifies the file or image used to start up the system. Syntax boot system [unit:] {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • • • • • boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. unit* - Stack unit. (Range: 1-8) * The colon (:) is required.
Line Commands 23 Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
23 System Management Commands Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands show line (23-25) show users (23-8) login This command enables password checking at login.
Line Commands 23 Example Console(config-line)#login local Console(config-line)# Related Commands username (25-2) password (23-19) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • • {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password.
23 System Management Commands timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Line Commands 23 Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default setting.
23 System Management Commands silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response. (Range: 0-65535; 0: no silent-time) Default Setting The default value is no silent-time.
Line Commands 23 Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (23-23) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
23 System Management Commands Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
Line Commands 23 Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (25-22) show users (23-8) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • • console - Console terminal line.
23 System Management Commands Event Logging Commands This section describes commands used to configure event logging on the switch.
Event Logging Commands 23 logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • • flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
23 System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • • Use this command more than once to build up a list of host IP addresses. The maximum number of host IP addresses allowed is five.
Event Logging Commands 23 logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the syslog severity levels listed in the table on page 23-27. Messages sent include the selected level up through level 0.
23 System Management Commands Related Commands show log (23-31) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
Event Logging Commands 23 The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
23 System Management Commands Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
SMTP Alert Commands 23 • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
23 System Management Commands Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
Time Commands 23 Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.
23 System Management Commands Table 23-13 Time Commands (Continued) Command Function Mode clock summertime (date) Configures summer time (daylight savings time) for the switch’s internal clock GC 23-40 Configures summer time (daylight savings time) for the switch’s internal clock GC 23-41 clock summertime (recurring) Configures summer time (daylight savings time) for the switch’s internal clock GC 23-42 show clock PE 23-43 clock summertime (predefined) Shows the time zone and summer-time
Time Commands 23 Related Commands sntp server (23-37) sntp poll (23-37) show sntp (23-38) sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP).
23 System Management Commands Default Setting 16 seconds Command Mode Global Configuration Example Console(config)#sntp poll 60 Console# Related Commands sntp client (23-36) sntp update-time This command sends a request to the configured SNTP servers to immediately update the time.
Time Commands 23 clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • • • • • name - Name of timezone, usually an acronym. (Range: 1-29 characters) hours - Number of hours before/after UTC. (Range: 0-13 hours) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC.
23 System Management Commands Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Time Commands • 23 offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
23 System Management Commands Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. • This command sets the summer-time time relative to the configured time zone.
Time Commands • • • • • • • • • 23 b-month - The month when summer-time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer-time will begin. (Range: 0-23 hours) b-minute - The minute when summer-time will begin. (Range: 0-59 minutes) e-week - The week of the month when summer-time will end. (Range: 1-5) e-day - The day of the week summer-time will end.
23 System Management Commands Example Console#show clock Time Zone Summer Time : GMT-0930-Taiohaer : offset 60 minutes Apr 1 2007 23:23 to Apr 23 2007 23:23 Summer Time in Effect : No Console# calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • hour - Hour in 24-hour format.
Chapter 24: SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
24 SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
snmp-server community 24 Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2.
24 SNMP Commands • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
snmp-server host 24 Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (24-4) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
24 SNMP Commands • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. • The snmp-server host command is used in conjunction with the snmp-server enable traps command.
snmp-server enable traps 24 supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
24 SNMP Commands conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 24-11). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (24-5) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
show snmp engine-id • 24 A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 24-14). Example Console(config)#snmp-server engine-id local 12345 Console(config)#snmp-server engineID remote 54321 192.168.1.
24 SNMP Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • • view-name - Name of an SNMP view. (Range: 1-32 characters) oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
show snmp view 24 show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 24-3 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
24 SNMP Commands Default Setting • • • • 24 25 Default groups: public (read only), private (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • • A group sets the access policy for the assigned users. When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
show snmp group 24 Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 24-4 show snmp group - display description
24 SNMP Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} • • • • • • • • • • • username - Name of user connecting to the SNMP agent.
show snmp user 24 need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# show snmp user This command shows information on SNMP users.
24 24-16 SNMP Commands
Chapter 25: User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
25 User Authentication Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive.
User Account Commands 25 enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] • • • level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
25 User Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Authentication Sequence 25 Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (25-2) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 22-1). Use the no form to restore the default.
25 User Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
RADIUS Client 25 Example Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages.
25 User Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
TACACS+ Client 25 Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: 2 Request timeout: 5 Server 1: Server IP address: 192.168.1.
25 User Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
Web Server Commands 25 show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: 10.11.12.13 Server IP address: Communication key with TACACS server: ***** Server port number: 49 Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
25 User Authentication Commands Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (25-12) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Web Server Commands 25 • When you start HTTPS, the connection is established in this way: The client authenticates the server using the server’s digital certificate. The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.
25 • User Authentication Commands If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (25-12) Telnet Server Commands This section describes commands used to configure Telnet management access to the switch.
25 Secure She l Secure Shell Commands This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
25 User Authentication Commands To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Secure She l 25 stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. b. c. The client sends its RSA public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d.
25 User Authentication Commands Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (25-20) show ssh (25-22) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Secure She l 25 ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
25 User Authentication Commands delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private).
Secure She l 25 Related Commands ip ssh crypto zeroize (25-21) ip ssh save host-key (25-21) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
25 User Authentication Commands Related Commands ip ssh crypto host-key generate (25-20) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections.
Secure She l 25 Table 25-11 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
25 User Authentication Commands Example Console#show public-key host Host: RSA: 1024 65537 13236940658254764031382795526536375927835525327972629521130241 0719421061655759424590939236096954050362775257556251003866130989393834523 1033280214988866192159556859887989191950588394018138744046890877916030583 7768185490002831341625008348718449522087429212255691665655296328163516964 0408315547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacW
Port Security Commands 25 port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
25 User Authentication Commands Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (27-7) mac-address-table static (31-1) 802.1X Port Authentication The switch supports IEEE 802.
802.1X Port Authentication 25 dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
25 User Authentication Commands dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access. • force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise.
802.1X Port Authentication 25 dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
25 User Authentication Commands dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
802.1X Port Authentication 25 Related Commands dot1x timeout re-authperiod (25-31) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
25 User Authentication Commands dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
802.1X Port Authentication 25 • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled - reauth-period - quiet-period - tx-period - supplicant-timeout - server-timeout - reauth-max - max-req - Status - Operation Mode - Max Count - Port-control - Supplicant - Current Identifier – Periodic re-authentication (page 25-30). – Time after which a connected client must be re-authenticated (page 25-31).
25 User Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/25 1/26 Status disabled disabled disabled enabled Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a Single-Host Single-Host ForceAuthorized Auto yes yes 802.1X Port Details 802.1X is enabled on port 1/1 . . . 802.
Management IP Filter Commands 25 Management IP Filter Commands This section describes commands used to configure IP management access to the switch.
25 User Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
Chapter 26: Access Control List Commands Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
26 Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
IPv4 ACLs 26 Default Setting None Command Mode Standard IPv4 ACL Command Usage • • New rules are appended to the end of the list. Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
26 Access Control List Commands • • • • host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-63) • sport – Protocol 26 source port number. (Range: 0-65535) 26 • • dport – Protocol destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match.
IPv4 ACLs 26 Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
26 Access Control List Commands ip access-group This command binds a port to an IPv4 ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name in • • acl_name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • • A port can only be bound to one ACL.
IPv6 ACLs 26 IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, next header type, and flow label.
26 Access Control List Commands Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (26-8) ipv6 access-group (26-11) show ipv6 access-list (26-11) permit, deny (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
IPv6 ACLs 26 permit, deny (Extended IPv6 ACL) This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific destination IP addresses, next header type, or flow label. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | destination-ipv6-address[/prefix-length]} [next-header next-header] [dscp dscp] [flow-label flow-label] • any – Keyword indicating any IPv6 destination address (an abbreviation for the IPv6 prefix ::/0).
26 Access Control List Commands e.g., in a hop-by-hop option. A flow is uniquely identified by the combination of a source address and a non-zero flow label. Packets that do not belong to a flow carry a flow label of zero. Hosts or routers that do not support the functions specified by the flow label must set the field to zero when originating a packet, pass the field on unchanged when forwarding a packet, and ignore the field when receiving a packet.
IPv6 ACLs 26 show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ip access-list {standard | extended} [acl_name] • • • standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl_name – Name of the ACL.
26 Access Control List Commands Related Commands show ipv6 access-list (26-11) show ipv6 access-group This command shows the ports assigned to IPv6 ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (26-11) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
MAC ACLs 26 Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules.
26 Access Control List Commands [no] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} • • • • • • • • tagged-eth2 – Tagged Ethernet II packets. untagged-eth2 – Untagged Ethernet II packets. tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets. any – Any MAC source or destination address. host – A specific MAC address. source – Source MAC address.
MAC ACLs 26 show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 26-13 mac access-group (26-15) mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port.
26 Access Control List Commands show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (26-15) ACL Information This section describes commands used to display ACL information.
ACL Information 26 show access-group This command shows the port assignments of IPv4 ACLs.
26 26-18 Access Control List Commands
Chapter 27: Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
27 Interface Commands Default Setting None Command Mode Global Configuration Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
speed-duplex 27 speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default.
27 Interface Commands negotiation This command enables autonegotiation for a given interface. Use the no form to disable autonegotiation. Syntax [no] negotiation Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • 1000BASE-T and 10GBASE-T do not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T or 10GBASE-T port or trunk.
flowcontrol 27 • 10full - Supports 10 Mbps full-duplex operation • 10half - Supports 10 Mbps half-duplex operation • flowcontrol - Supports flow control • symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames for 1 Gbps connections.
27 Interface Commands Command Usage • 1000BASE-T and 10GBASE-T do not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T or 10GBASE-T port or trunk. • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation.
shutdown 27 Command Mode Interface Configuration (Ethernet - Ports 21-24/45-48) Example This forces the switch to use the built-in RJ-45 port for the combination port 48. Console(config)#interface ethernet 1/48 Console(config-if)#media-type copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
27 Interface Commands Command Mode Interface Configuration (Ethernet) Command Usage • When broadcast traffic exceeds the specified threshold, packets above that threshold are dropped. • Broadcast control does not effect IP multicast traffic.
show interfaces status 27 show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) • vlan vlan-id (Range: 1-4093) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
27 Interface Commands show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
show interfaces switchport 27 show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
27 Interface Commands Table 27-2 show interfaces switchport - display description (Continued) Field Description Ingress Rule Shows if ingress filtering is enabled or disabled (page 34-9). Acceptable Fame Type Shows if acceptable VLAN frames include all types or tagged frames only (page 34-9). Native VLAN Indicates the default Port VLAN ID (page 34-10). Priority for Untagged Traffic Indicates the default priority for untagged frames (page 35-3).
Chapter 28: Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
28 • Link Aggregation Commands STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
lacp 28 lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
28 Link Aggregation Commands Current status: Created By Link Status Port Operation Status Operation speed-duplex Flow control Type Member Ports Console# : : : : : LACP Up Up 100full None : Eth1/10, Eth1/11, Eth1/12, lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • • • actor - The local side an aggregate link.
lacp admin-key (Ethernet Interface) 28 lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
28 Link Aggregation Commands lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
show lacp 28 Command Mode Interface Configuration (Ethernet) Command Usage • • Setting a lower value indicates a higher effective priority. If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
28 Link Aggregation Commands Example Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Sent : 12 LACPDUs Receive : 6 Marker Sent : 0 Marker Receive : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
show lacp 28 Table 28-3 show lacp internal - display description (Continued) Field Description LACP Port Priority Admin State, Oper State LACP port priority assigned to this interface within the channel group. Administrative or operational values of the actor’s state parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
28 Link Aggregation Commands Table 28-4 show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner. Admin State Administrative values of the partner’s state parameters. (See preceding table.
Chapter 29: Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 29-1 Command Mirror Port Commands Mode Page port monitor Function Configures a mirror session IC 29-1 show port monitor Shows the configuration for a mirror port PE 29-2 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
29 Mirror Port Commands Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • • unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) Default Setting Shows all sessions.
Chapter 30: Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
30 30-2 Rate Limit Commands
Chapter 31: Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
31 Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
show mac-address-table 31 show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
31 Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-1000000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information.
Chapter 32: LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
32 LLDP Commands Table 32-1 LLDP Commands (Continued) Command Function Mode Page lldp dot1-tlv vlan-name* Configures an LLDP-enabled port to advertise its VLAN name IC 32-11 lldp dot3-tlv link-agg Configures an LLDP-enabled port to advertise its link aggregation capabilities IC 32-12 lldp dot3-tlv mac-phy Configures an LLDP-enabled port to advertise its MAC and physical layer specifications IC 32-12 lldp dot3-tlv max-frame Configures an LLDP-enabled port to advertise its maximum frame si
lldp holdtime-multiplier 32 lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
32 LLDP Commands Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
lldp reinit-delay 32 lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
32 LLDP Commands objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission. • This attribute must comply with the following rule: (4 * tx-delay) ″ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature.
lldp basic-tlv management-ip-address 32 Command Usage • This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command (page 32-3). Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 24-5).
32 LLDP Commands • Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
lldp basic-tlv system-description 32 Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description.
32 LLDP Commands Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command (page 23-1). Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature.
lldp dot1-tlv pvid 32 Command Usage This option advertises the port-based and protocol-based VLANs configured on this interface (see “Configuring VLAN Interfaces” on page 34-7 and “Configuring Protocol-based VLANs” on page 34-20). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
32 LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 34-11 and “protocol-vlan protocol-group (Configuring Interfaces)” on page 34-21. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
lldp dot3-tlv max-frame 32 Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature.
32 LLDP Commands Command Usage This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv poe Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports.
show lldp info local-device 32 Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.
32 LLDP Commands Example Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : 24/48 port 10/100/1000 Stackable Managed Switch with 2 X 10G uplinks System Capabilities Support : Bridge, Router System Capabilities Enable : Bridge, Router Management Address : 192.168.0.
show lldp info remote-device 32 Example Console#show lldp info remote-device LLDP Remote Devices Information Interface | ChassisId PortId SysName --------- + ----------------- ----------------- --------------------Eth 1/1 | 00-01-02-03-04-05 00-01-02-03-04-06 Console#show lldp info remote-device detail ethernet 1/1 Chassis Type Chassis Id PortID Type PortID SysName SysDescr : : : : : MAC Address 00-00-E8-90-00-00 MAC Address 00-00-E8-90-00-01 : 24/48 port 10/100/1000 Stackable Managed Switch with 2 X 1
32 LLDP Commands show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
Chapter 33: Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
33 Spanning Tree Commands Table 33-1 Spanning Tree Commands (Continued) Command Function show spanning-tree Shows spanning tree configuration for the common PE spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree Mode Page 33-18 show spanning-tree mst configuration Shows the multiple spanning tree configuration 33-20 PE spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.
spanning-tree mode 33 Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - • This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
33 Spanning Tree Commands spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
spanning-tree max-age 33 Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (33-4) spanning-tree max-age (33-5) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
33 Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
spanning-tree transmission-limit 33 Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 33-12) takes precedence over port priority (page 33-13).
33 Spanning Tree Commands Related Commands mst vlan (33-8) mst priority (33-9) name (33-9) revision (33-10) max-hops (33-11) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) vlan-range - Range of VLANs.
mst priority 33 mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
33 Spanning Tree Commands Command Usage The MST region name and revision number (page 33-10) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
max-hops 33 max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed.
33 Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. 28 (Range: 0 for auto-configuration, 1-65535 for short path cost method , 1-200,000,000 for long path cost method) Table 33-2 Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.
spanning-tree port-priority 33 Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port.
33 Spanning Tree Commands Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
spanning-tree link-type 33 • This command is the same as spanning-tree edge-port, and is only included for backward compatibility with earlier products. Note that this command may be removed for future software versions. Example Console(config)#interface ethernet 1/5 Console(config-if)#bridge-group 1 portfast Console(config-if)# Related Commands spanning-tree edge-port (33-13) spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree.
33 Spanning Tree Commands spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • cost - Path cost for an interface.
spanning-tree mst port-priority 33 spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • priority - Priority for an interface.
33 Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
show spanning-tree 33 displayed for specific interfaces, see “Displaying Interface Settings” on page 10-10. Example Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 0 VLANs Configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.
33 Spanning Tree Commands show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree.
Chapter 34: VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
34 VLAN Commands bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
GVRP and Bridge Extension Commands 34 switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit.
34 VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
Editing VLAN Groups 34 show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows all GARP timers.
34 VLAN Commands Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
Configuring VLAN Interfaces 34 Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
34 VLAN Commands Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (27-7) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
Configuring VLAN Interfaces 34 switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • • all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
34 VLAN Commands • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). • If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA.
Configuring VLAN Interfaces 34 switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • • • add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
34 VLAN Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • • • add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. Do not enter leading zeros.
Displaying VLAN Information 34 show vlan This command shows VLAN information. Syntax show vlan [id vlan-id | name vlan-name] • id - Keyword to be followed by the VLAN ID. vlan-id - ID of the configured VLAN. (Range: 1-4093, no leading zeroes) • name - Keyword to be followed by the VLAN name. vlan-name - ASCII string from 1 to 32 characters. Default Setting Shows all VLANs. Command Mode Normal Exec, Privileged Exec Example The following example shows how to display information for VLAN 1.
34 VLAN Commands Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Configuring IEEE 802.1Q Tunneling 34 Limitations for QinQ • The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types. • • IGMP Snooping should not be enabled on a tunnel access port. If the spanning tree protocol is enabled, be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree.
34 VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • QinQ tunneling must be enabled on the switch using the dot1q-tunnel system-tunnel-control command before the switchport dot1q-tunnel mode interface command can take effect. • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag.
Configuring IEEE 802.1Q Tunneling 34 custom 802.1Q ethertype on a trunk port, incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. • All ports on the switch will be set to the same ethertype.
34 VLAN Commands Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This section describes commands used to configure private VlANs. Table 34-7 Private VLAN Commands Command Function Mode pvlan Enables and configured private VLANS GC Page 34-18 show pvlan Displays the configured private VLANS PE 34-19 pvlan This command enables or configures a private VLAN. Use the no form to disable the private VLAN.
Configuring Private VLANs 34 Example This example enables the private VLAN, and then sets port 12 as the uplink and ports 5-8 as the downlinks. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/12 down-link ethernet 1/5-8 Console(config)# show pvlan This command displays the configured private VLAN.
34 VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Configuring Protocol-based VLANs • 34 protocol - Protocol type. The only option for the llc-other frame type is ipx_raw. The options for all other frames types include: ip, ipv6, arp, rarp, and user-defined (0801-FFFF hexadecimal). Default Setting No protocol groups are configured.
34 - VLAN Commands If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
Configuring Protocol-based VLANs 34 Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID Vlan ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# 34-23
34 34-24 VLAN Commands
Chapter 35: Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
35 Class of Service Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
Priority Commands (Layer 2) 35 switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority. Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero.
35 Class of Service Commands queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight0...weight7 no queue bandwidth weight0...weight7 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler. (Range: 1 - 15) Default Setting Weights 1, 2, 4, 6, 8, 10, 12, 14 are assigned to queues 0 - 7 respectively.
Priority Commands (Layer 2) 35 • cos1 ... cosn - The CoS values that are mapped to the queue ID. It is a space-separated list of numbers. The CoS value is a number from 0 to 7, where 7 is the highest priority. Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.
35 Class of Service Commands show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Syntax show queue bandwidth [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Command Mode Privileged Exec Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight ------------0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . .
Priority Commands (Layer 3 and 4) 35 Example Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 CoS Value: 0 1 2 3 4 5 6 7 Priority Queue: 2 0 1 3 4 5 6 7 Console# Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch.
35 Class of Service Commands map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number • • port-number - 16-bit TCP/UDP port number.
Priority Commands (Layer 3 and 4) 35 Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence • • precedence-value - 3-bit precedence value.
35 Class of Service Commands map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled.
Priority Commands (Layer 3 and 4) 35 Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0.
35 Class of Service Commands Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --80 0 Eth 1/ 5 Console# Related Commands map ip port (Global Configuration) (35-7) map ip port (Interface Configuration) (35-8) show map ip precedence This command shows the IP precedence priority map.
Priority Commands (Layer 3 and 4) 35 show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
35 35-14 Class of Service Commands
Chapter 36: Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
36 6. Quality of Service Commands any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 36-2) before creating a Policy Map (page 36-5).
match 36 match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ipv6 dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) • dscp - A Differentiated Service Code Point value. (Range: 0-63) • ip-precedence - An IP Precedence value.
36 Quality of Service Commands This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
policy-map 36 policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
36 Quality of Service Commands Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive. - police command defines the maximum throughput, burst rate, and the action that results from a policy violation.
Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
police 36-7 36
36 Quality of Service Commands Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
show class-map 36 show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
36 Quality of Service Commands Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
Chapter 37: Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
37 Multicast Filtering Commands Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface • vlan-id - VLAN ID (Range: 1-4093) • ip-address - IP address for multicast group • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
IGMP Snooping Commands 37 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. • Some commands are only enabled for IGMPv2, including ip igmp query-max-response-time and ip igmp query-timeout.
37 Multicast Filtering Commands Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# show ip igmp snooping This command shows the IGMP snooping and query configuration settings. Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 15-3 for a description of the displayed items.
IGMP Query Commands 37 Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.
37 Multicast Filtering Commands Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default.
IGMP Query Commands 37 ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
37 Multicast Filtering Commands Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (37-2) ip igmp snooping query-max-response-time (37-7) ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default.
Static Multicast Routing Commands 37 Static Multicast Routing Commands This section describes commands used to configure static multicast interfaces on the switch. Table 37-4 Static Multicast Routing Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC Page 37-9 show ip igmp snooping mrouter Shows multicast router ports PE 37-10 ip igmp snooping vlan mrouter This command statically configures a multicast router port on the specified VLAN.
37 Multicast Filtering Commands show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static.
Chapter 38: Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
38 Domain Name Service Commands Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device. Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.
ip domain-name 38 ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
38 Domain Name Service Commands Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. • If there is no domain list, the domain name specified with the ip domain-name command is used. If there is a domain list, the default domain name is not used.
ip domain-lookup 38 Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (38-3) ip domain-lookup (38-5) ip domain-lookup This command enables DNS host name-to-address translation.
38 Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (38-3) ip name-server (38-4) show hosts This command displays the static host name-to-address mapping table.
show dns 38 show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
38 Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache.
Chapter 39: DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. You can configure any VLAN interface to be automatically assigned an IP address via DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network, or you can configure this switch to provide DHCP service directly to any client.
39 DHCP Commands Command Usage This command is used to include a client identifier in all communications with the DHCP server, which uses it to index its database of address bindings. The information included in the identifier is based on RFC 2132 Option 60, and must be unique for all clients in the same administrative domain.
DHCP Relay 39 DHCP Relay Table 39-3 DHCP Relay Commands Command Function Mode Page ip dhcp restart relay Enables DHCP relay agent IC 39-3 ip dhcp relay server Specifies DHCP server addresses for relay IC 39-4 ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it.
39 DHCP Commands ip dhcp relay server This command specifies the addresses of DHCP servers to be used by the switch’s DHCP relay agent. Use the no form to clear all addresses. Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server. (Range: 1-3 addresses) Default Setting None Command Mode Interface Configuration (VLAN) Usage Guidelines • You must specify the IP address for at least one DHCP server.
DHCP Server 39 DHCP Server Table 39-4 DHCP Server Commands Command Function Mode Page service dhcp Enables the DHCP server feature on this switch GC 39-5 ip dhcp excluded-address Specifies IP addresses that a DHCP server should not assign to DHCP clients GC 39-6 ip dhcp pool Configures a DHCP address pool on a DHCP Server GC 39-6 network Configures the subnet number and mask for a DHCP address pool DC 39-7 default-router Specifies the default router list for a DHCP client DC 39-8 d
39 DHCP Commands Command Usage If the DHCP server is running, you must restart it to implement any configuration changes. Example Console(config)#service dhcp Console(config)# ip dhcp excluded-address This command specifies IP addresses that the DHCP server should not assign to DHCP clients. Use the no form to remove the excluded IP addresses. Syntax [no] ip dhcp excluded-address low-address [high-address] • low-address - An excluded IP address, or the first IP address in an excluded address range.
DHCP Server 39 client (with the host command) if required. You can configure up to 8 network address pools, and up to 32 manually bound host address pools (i.e., listing one host address per pool). However, note that any address specified in a host command must fall within the range of a configured network address pool.
39 DHCP Commands default-router This command specifies default routers for a DHCP pool. Use the no form to remove the default routers. Syntax default-router address1 [address2] no default-router • • address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router. Default Setting None Command Mode DHCP Pool Configuration Usage Guidelines The IP address of the router should be on the same subnet as the client. You can specify up to two routers.
DHCP Server 39 dns-server This command specifies the Domain Name System (DNS) IP servers available to a DHCP client. Use the no form to remove the DNS server list. Syntax dns-server address1 [address2] no dns-server • • address1 - Specifies the IP address of the primary DNS server. address2 - Specifies the IP address of the alternate DNS server.
39 DHCP Commands bootfile This command specifies the name of the default boot image for a DHCP client. This file should placed on the Trivial File Transfer Protocol (TFTP) server specified with the next-server command. Use the no form to delete the boot image name. Syntax bootfile filename no bootfile filename - Name of the file that is used as a default boot image. Default Setting None Command Mode DHCP Pool Configuration Example Console(config-dhcp)#bootfile wme.
DHCP Server 39 Related Commands netbios-node-type (39-11) netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
39 DHCP Commands Default Setting One day Command Modes DHCP Pool Configuration Example The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# host Use this command to specify the IP address and network mask to manually bind to a DHCP client. Use the no form to remove the IP address for the client. Syntax host address [mask] no host • • address - Specifies the IP address of a client.
DHCP Server • 39 The no host command only clears the address from the DHCP server database. It does not cancel the IP address currently in use by the host. Example Console(config-dhcp)#host 10.1.0.21 255.255.255.0 Console(config-dhcp)# Related Commands client-identifier (39-13) hardware-address (39-14) client-identifier This command specifies the client identifier of a DHCP client. Use the no form to remove the client identifier.
39 DHCP Commands hardware-address This command specifies the hardware address of a DHCP client. This command is valid for manual bindings only. Use the no form to remove the hardware address. Syntax hardware-address hardware-address type no hardware-address • • hardware-address - Specifies the MAC address of the client device. type - Indicates the following protocol used on the client device: - ethernet - ieee802 - fddi Default Setting If no type is specified, the default protocol is Ethernet.
DHCP Server 39 Usage Guidelines • An address specifies the client’s IP address. If an asterisk (*) is used as the address parameter, the DHCP server clears all automatic bindings. • Use the no host command to delete a manual binding. • This command is normally used after modifying the address pool, or after moving DHCP service to another device. Example.
39 39-16 DHCP Commands
Chapter 40: Router Redundancy Commands Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
40 Router Redundancy Commands vrrp ip This command enables the Virtual Router Redundancy Protocol (VRRP) on an interface and specifies the IP address of the virtual router. Use the no form to disable VRRP on an interface and remove the IP address from the virtual router. Syntax [no] vrrp group ip ip-address • • group - Identifies the virtual router group. (Range: 1-255) ip-address - The IP address of the virtual router. This is the IP address that end-hosts set as their default gateway.
Virtual Router Redundancy Protocol Commands 40 vrrp authentication This command specifies the key used to authenticate VRRP packets received from other routers. Use the no form to prevent authentication. Syntax vrrp group authentication key no vrrp group authentication • • group - Identifies the virtual router group. (Range: 1-255) key - Authentication string. (Range: 1-8 alphanumeric characters) Default Setting No key is defined.
40 Router Redundancy Commands Command Mode Interface (VLAN) Command Usage • A router that has a physical interface with the same IP address as that used for the virtual router (that is, the owner of the VRRP IP address) will become the master virtual router. The backup router with the highest priority will become the master router if the current master fails. When the original master router recovers, it will take over as the active master router again.
Virtual Router Redundancy Protocol Commands 40 Command Mode Interface (VLAN) Command Usage • VRRP advertisements from the current master virtual router include information about its priority and current state as the master. • VRRP advertisements are sent to the multicast address 224.0.0.18. Using a multicast address reduces the amount of traffic that has to processed by network devices that are not part of the designated VRRP group.
40 Router Redundancy Commands master has just come on line, this delay also gives it time to gather information for its routing table before actually preempting the currently active router. Example Console(config-if)#vrrp 1 preempt delay 10 Console(config-if)# Related Commands vrrp priority (40-3) show vrrp This command displays status information for VRRP. Syntax show vrrp [brief | group] • • brief - Displays summary information for all VRRP groups on this router. group - Identifies a VRRP group.
Virtual Router Redundancy Protocol Commands 40 Example This example displays the full listing of status information for all groups. Console#show vrrp Vlan 1 - Group 1, State Virtual IP Address Virtual MAC Address Advertisement Interval Preemption Min Delay Priority Authentication Authentication Key Master Router Master Priority Master Advertisement Interval Master Down Interval Console# Master 192.168.1.6 00-00-5E-00-01-01 5 sec Enabled 10 sec 1 SimpleText bluebird 192.168.1.
40 Router Redundancy Commands Table 40-4 show vrrp brief - display description Field Description Interface VLAN interface Grp VRRP group State VRRP role of this interface (master or backup) Virtual addr Virtual address that identifies this VRRP group Int Interval at which the master virtual router advertises its role as the master Pre Shows whether or not a higher priority router can preempt the current acting master Prio Priority of this router show vrrp interface This command displays st
Virtual Router Redundancy Protocol Commands 40 show vrrp router counters This command displays counters for errors found in VRRP protocol packets. Command Mode Privileged Exec Example Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number.
40 Router Redundancy Commands clear vrrp router counters This command clears VRRP system statistics. Command Mode Privileged Exec Example Console#clear vrrp router counters Console# clear vrrp interface counters This command clears VRRP system statistics for the specified group and interface. clear vrrp group interface interface counters • • group - Identifies a VRRP group. (Range: 1-255) interface - Identifier of configured VLAN interface.
Chapter 41: IP Interface Commands An IP address may be used for management access to the router over your network or to connect the switch to existing IP subnets. An IPv4 address is obtained via DHCP by default for VLAN 1. You can also manually configure a new address for other VLANs on the router to enable management access through these VLANs or to connect the router to existing IP subnets.
41 IP Interface Commands Table 41-2 Basic IP Configuration Commands (Continued) Command Function Mode Page IP Version 6 Interface Address Configuration and Utilities ipv6 enable Enables IPv6 on an interface that has not been configured with an IC explicit IPv6 address ipv6 general-prefix Defines an IPv6 general prefix for the network address segment GC 41-8 show ipv6 general-prefix Displays all configured IPv6 general prefixes NE, PE 41-9 ipv6 address Configures an IPv6 global unicast addre
Basic IP Configuration 41 ip address This command sets the IPv4 address for the currently selected VLAN interface. Use the no form to restore the default IP address. Syntax ip address {ip-address netmask | bootp | dhcp} [secondary] no ip address • ip-address - IP address • netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. • bootp - Obtains IP address from BOOTP. • dhcp - Obtains IP address from DHCP.
41 IP Interface Commands uses a secondary address, all other routers in that segment must also use a secondary address from the same network or subnet address space. • If bootp or dhcp options are selected, the system will immediately start broadcasting service requests. IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address.
Basic IP Configuration 41 Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands ip route (42-2) show ip redirects (41-5) ipv6 default-gateway (41-17) show ip interface This command displays the settings of an IPv4 interface. Command Mode Privileged Exec Example Console#show ip interface Vlan 1 is up, addressing mode is DHCP Interface address is 192.168.0.2, mask is 255.255.255.
41 IP Interface Commands ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • • host - IP address or IP alias of the host. size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the router adds header information. • count - Number of packets to send.
Basic IP Configuration 41 Related Commands interface (27-1) ping ipv6 (41-25) ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address. Use the no form to disable IPv6 on an interface that has not been configured with an explicit IPv6 address.
41 IP Interface Commands Related Commands ipv6 address link-local (41-13) show ipv6 interface (41-14) ipv6 general-prefix This command defines an IPv6 general prefix for the network address segment. Use the no form to remove the IPv6 general prefix. Syntax ipv6 general-prefix prefix-name ipv6-prefix/prefix-length no ipv6 general-prefix prefix-name • • prefix-name - The label assigned to the general prefix. ipv6-prefix - The high-order bits of the network address segment assigned to the general prefix.
Basic IP Configuration 41 show ipv6 general-prefix This command displays all configured IPv6 general prefixes. Command Mode Normal Exec, Privileged Exec Example This example displays a single IPv6 general prefix configured for the router. Console#show ipv6 general-prefix IPv6 general prefix: rd 2009:DB9:2229::/48 Console# ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface.
41 IP Interface Commands apply to one or more specific interfaces, and are therefore specified by this command at the interface configuration level. • If a link-local address has not yet been assigned to this interface, this command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the router’s MAC address in modified EUI-64 format.
Basic IP Configuration 41 Default Setting No IPv6 addresses are defined Command Mode Interface Configuration (VLAN) Command Usage • If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link local address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the router’s MAC address in modified EUI-64 format.
41 IP Interface Commands ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Basic IP Configuration 41 id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35. • This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
41 IP Interface Commands Command Mode Interface Configuration (VLAN) Command Usage • The address specified with this command replaces a link-local address that was automatically generated for the interface. • You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. • If a duplicate address is detected, a warning message is sent to the console. Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1.
Basic IP Configuration 41 values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. • prefix-length - A decimal value indicating how many of the contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). Command Mode Normal Exec, Privileged Exec Example This example displays all the IPv6 addresses configured for the router.
41 IP Interface Commands Table 41-3 show ipv6 interface - display description (Continued) Field Description Joined group address(es) In addition to the unicast addresses assigned to an interface, a node is required to join the all-nodes multicast addresses FF01::1 and FF02::1 for all IPv6 nodes within scope 1 (interface-local) and scope 2 (link-local), respectively.
Basic IP Configuration 41 ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway. Syntax ipv6 default-gateway ipv6-address no ipv6 address ipv6-address - The IPv6 address of the default next hop router to use when no other routing information is known about an IPv6 address.
41 IP Interface Commands Example The following shows the default gateway configured for this device: Console#show ipv6 default-gateway ipv6 default gateway: FE80::269:3EF9:FE19:6780 Console# Related Commands show ip redirects (41-5) ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size.
Basic IP Configuration 41 show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this router.
41 Ipv6 ICMP Ipv6 Ipv6 41-20 IP Interface Commands generated fragments Fragmented failed encapsulation failed no route too big mcast mcast received mcast sent Statistics: icmp input input checksum errors too short unknown info type unknown error type unreach routing unreach admin unreach neighbor unreach address unreach port Parameter error Parameter header Parameter option hopcount expired reassembly timeout too big echo request echo reply group query group report group reduce router solicit router a
Basic IP Configuration UDP Statistics: input checksum errors length errors no port dropped output TCP Statistics: input checksum errors output retransmitted 41 1 0 0 1 0 1 1911 0 4339 0 Console# Table 41-5 show ipv6 traffic - display description Field Description IPv6 Statistics Ipv6 rcvd rcvd total The total number of input datagrams received by the interface, including those received in error. source routed The number of source-routed packets.
41 IP Interface Commands Table 41-5 show ipv6 traffic - display description (Continued) Field Description reassembly failures The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
Basic IP Configuration 41 Table 41-5 show ipv6 traffic - display description (Continued) Field Description unreach admin The number of ICMP destination unreachable/communication administratively prohibited messages received by the interface. unreach neighbor Indicates that the destination is beyond the scope of the source address. For example, the source may be a local site or the destination may not have a route back to the source.
41 IP Interface Commands Table 41-5 show ipv6 traffic - display description (Continued) Field Description parameter error The number of ICMP Parameter Problem messages sent by the interface. parameter header The number of Send ICMP parameter problem messages caused by an unrecognized header error. parameter option The number of Send ICMP parameter problem messages caused by an unrecognized option error.
Basic IP Configuration 41 clear ipv6 traffic This command resets IPv6 traffic counters. Command Mode Privileged Exec Command Usage This command resets all of the counters displayed by the show ipv6 traffic command. Example Console#clear ipv6 traffic Console# ping ipv6 This command sends ICMP echo request packets to an IPv6 node on the network.
41 IP Interface Commands Command Usage • • • • • • Ping sends an echo request to the specified address, and waits for a reply. Ping output can help determine path reliability, path delays, and if the host is reachable or functioning. If the system cannot map an address for a host name, it returns the message “Can not get address information for host,” or “protocol not running.” To terminate a ping session, type the escape sequence Ctrl-X.
Basic IP Configuration 41 Default Setting None Command Mode Global Configuration Command Usage • • • • • Address Resolution Protocol (ARP) has been replaced in IPv6 with the Neighbor Discovery Protocol (NDP). The ipv6 neighbor command is similar to the mac-address-table static command (page 31-1) that is implemented using ARP. Static entries can only be configured on an IPv6-enabled interface.
41 IP Interface Commands Default Setting 1 Command Mode Interface Configuration (VLAN) Command Usage • Configuring a value of 0 disables duplicate address detection. • Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. • Duplicate address detection is stopped on any interface that has been suspended (see the vlan command on page 34-6).
Basic IP Configuration 41 Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is stalled.
41 IP Interface Commands reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. Example The following sets the interval between sending neighbor solicitation messages to 30000 milliseconds: Console(config)#interface vlan 1 Console(config-if)#ipv6 nd ns-interval 30000 Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable.
Basic IP Configuration 41 Example The following shows all known IPv6 neighbors for this router: Console#show ipv6 neighbors IPv6 Address Age 2009:DB9:2229::79 666 FE80::200:E8FF:FE90:0 671 Console# Link-layer Addr 00-00-E8-90-00-00 00-00-E8-90-00-00 State STALE STALE Vlan 1 1 Table 41-6 show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable (in minutes).
41 IP Interface Commands clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# Address Resolution Protocol (ARP) This section describes commands used to configure ARP on the switch.
Address Resolution Protocol (ARP) 41 • You may need to enter a static entry in the cache if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out. Example Console(config)#arp 10.1.0.19 01-02-03-04-05-06 Console(config)# Related Commands clear arp-cache show arp arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache.
41 IP Interface Commands clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Address Resolution Protocol (ARP) 41 ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP. Syntax [no] ip proxy-arp Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage • Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network. • End stations that require Proxy ARP must view the entire network as a single network.
41 41-36 IP Interface Commands
Chapter 42: IP Routing Commands After you configure network interfaces for this router, you must set the paths used to send traffic between different interfaces. If you enable routing on this device, traffic will automatically be forwarded between all of the local subnetworks.
42 IP Routing Commands Command Mode Global Configuration Command Usage • • The command affects both static and dynamic unicast routing. If IP routing is enabled, all IP packets are routed using either static routing or dynamic routing via RIP or OSPF, and other packets for all non-IP protocols (e.g., NetBuei, NetWare or AppleTalk) are switched based on MAC addresses. If IP routing is disabled, all packets are switched, with filtering and forwarding decisions based strictly on MAC addresses.
Global Routing Configuration 42 clear ip route This command removes dynamically learned entries from the IP routing table. Syntax clear ip route {network [netmask] | *} • network – Network or subnet address. • netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. • * – Removes all dynamic routing table entries. Command Mode Privileged Exec Command Usage • • • This command only clears dynamically learned routes.
42 IP Routing Commands Example Console#show ip route Ip Address Netmask Next Hop Protocol Metric Interface --------------- --------------- --------------- ---------- ------ --------0.0.0.0 10.2.48.102 static 0 1 0.0.0.0 10.2.48.2 255.255.252.0 10.2.48.16 local 0 1 10.2.5.6 255.255.255.0 10.2.8.12 RIP 1 2 10.3.9.1 255.255.255.0 10.2.9.
Routing Information Protocol (RIP) 42 show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. Command Mode Privileged Exec Command Usage For a description of the information shown by this command, see “Displaying Statistics for IP Protocols” on page 19-16.
42 IP Routing Commands Table 42-5 Routing Information Protocol Commands (Continued) Command Function Mode Page version Specifies the RIP version to use on all network interfaces (if not already specified with a receive version or send version command) RC 42-11 redistribute Redistribute routes from one routing domain to another RC 42-11 ip rip receive version Sets the RIP receive version to use on a network interface IC 42-12 ip rip send version Sets the RIP send version to use on a network
Routing Information Protocol (RIP) 42 default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to external routes. (Range: 0-15) Command Mode Router Configuration Default Setting 8 Command Usage • This command does not override the metric value set by the redistribute command (see page 42-11).
42 IP Routing Commands timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults. Syntax timers basic update-seconds no timers basic update-seconds – Sets the update timer to the specified value, sets the timeout time value to 6 times the update time, and sets the garbagecollection timer to 4 times the update time.
Routing Information Protocol (RIP) 42 network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. Syntax [no] network subnet-address subnet-address – IP address of a network directly connected to this router. Command Mode Router Configuration Default Setting No networks are specified. Command Usage • • RIP only sends updates to interfaces specified by this command.
42 IP Routing Commands Command Usage This command can be used to configure a static neighbor with which this router will exchange information, rather than relying on broadcast messages generated by the RIP protocol. Example Console(config-router)#neighbor 10.2.0.254 Console(config-router)# version This command specifies a RIP version used globally by the router. Use the no form to restore the default value.
Routing Information Protocol (RIP) 42 redistribute This command imports external routing information from other routing domains (that is, protocols or static routes) into the autonomous system. Use the no form to disable this feature. Syntax [no] redistribute (ospf | static} [metric ] • ospf - External routes will be imported from the Open Shortest Path First (OSPF) protocol into this routing domain. • static - Static routes will be imported into this routing domain.
42 IP Routing Commands This example redistributes static routes and sets the metric for all of these routes to a value of 3. Console(config-router)#redistribute static metric 3 Console(config-router)# Related Commands default-metric (42-7) ip rip receive version This command specifies a RIP version to receive on an interface. Use the no form to restore the default value. Syntax ip rip receive version {none | 1 | 2 | 1 2} no ip rip receive version • • • • none - Does not accept incoming RIP packets.
Routing Information Protocol (RIP) 42 ip rip send version This command specifies a RIP version to send on an interface. Use the no form to restore the default value. Syntax ip rip send version {none | 1 | 2 | v2-broadcast} no ip rip send version • none - Does not transmit RIP updates. • 1 - Sends only RIPv1 packets. • 2 - Sends only RIPv2 packets. • v2-broadcast - Route information is broadcast to other routers with RIPv2.
42 IP Routing Commands ip split-horizon This command enables split-horizon or poison-reverse (a variation) on an interface. Use the no form to disable split-horizon. Syntax ip split-horizon [poison-reverse] no ip split-horizon poison-reverse - Enables poison-reverse on the current interface. Command Mode Interface Configuration (VLAN) Default Setting split-horizon Command Usage • Split horizon never propagates routes back to an interface from which they have been acquired.
Routing Information Protocol (RIP) • 42 For authentication to function properly, both the sending and receiving interface must be configured with the same password. Example This example sets an authentication password of “small” to verify incoming routing messages and to tag outgoing routing messages.
42 IP Routing Commands Example This example sets the authentication mode to plain text. Console(config)#interface vlan 1 Console(config-if)#ip rip authentication mode text Console(config-if)# Related Commands ip rip authentication key (42-14) show rip globals This command displays global configuration settings for RIP.
Routing Information Protocol (RIP) 42 Example Console#show ip rip configuration Interface SendMode ReceiveMode Poison Authentication --------------- --------------- ------------- -------------- -----------------10.1.0.253 rip1Compatible RIPv1Orv2 SplitHorizon noAuthentication 10.1.1.253 rip1Compatible RIPv1Orv2 SplitHorizon noAuthentication Console#show ip rip status Interface RcvBadPackets RcvBadRoutes SendUpdates --------------- --------------- -------------- --------------10.1.0.253 0 0 13 10.1.1.
42 IP Routing Commands Open Shortest Path First (OSPF) This section describes commands used to configure OSPF global and interface parameters for dynamic routing on the switch.
Open Shortest Path First (OSPF) 42 Table 42-8 Open Shortest Path First Commands (Continued) Command Function Mode Page show ip ospf Displays general information about the routing processes PE 42-39 show ip ospf border-routers Displays routing table entries for Area Border Routers (ABR) and PE Autonomous System Boundary Routers (ASBR) 42-40 show ip ospf database Shows information about different LSAs in the database PE 42-41 show ip ospf interface Displays interface information PE 42-49 s
42 IP Routing Commands router-id This command assigns a unique router ID for this device within the autonomous system. Use the no form to use the default router identification method (i.e., the lowest interface address). Syntax router-id ip-address no router-id ip-address - Router ID formatted as an IP address. Command Mode Router Configuration Default Setting Lowest interface address Command Usage • The router ID must be unique for every router in the autonomous system.
Open Shortest Path First (OSPF) 42 Command Usage • When RFC 1583 compatibility is enabled, only cost is used when choosing among multiple AS-external LSAs advertising the same destination. When disabled, preference is based on type of path, using cost only to break ties (see RFC 2328). • All routers in an OSPF routing domain should use the same RFC for calculating summary routes.
42 IP Routing Commands System Boundary Router (ASBR). However, an ASBR does not, by default, generate a default route into the routing domain. - If you use the always keyword, the router will advertise itself as a default external route into the AS, even if a default external route does not actually exist. (To define a default route, use the ip route command.
Open Shortest Path First (OSPF) 42 Example Console(config-router)#timers spf 20 Console(config-router)# area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. Syntax [no] area area-id range ip-address netmask [advertise | not-advertise] • • • • • area-id - Identifies an area for which the routes are summarized. (The area ID must be in the form of an IPv4 address.) ip-address - Base address for the routes to summarize.
42 IP Routing Commands area default-cost This command specifies a cost for the default summary route sent into a stub or not-so-stubby area (NSSA) from an Area Border Router (ABR). Use the no form to remove the assigned default cost. Syntax area area-id default-cost cost no area area-id default-cost • • area-id - Identifier for a stub or NSSA, in the form of an IPv4 address. cost - Cost for the default summary route sent to a stub or NSSA.
Open Shortest Path First (OSPF) 42 Command Usage • Redistributing routes from other protocols into OSPF normally requires the router to advertise each route individually in an external LSA. An Autonomous System Boundary Router (ASBR) can be configured to redistribute routes learned from other protocols by advertising an aggregate route into all attached autonomous systems. This helps both to decrease the number of external LSAs and the size of the OSPF link state database.
42 IP Routing Commands Command Usage • This command is used to import routes learned from other routing protocols into the OSPF domain, and to generate AS-external-LSAs. • When external routes are redistributed into an OSPF autonomous system (AS), the router automatically becomes an autonomous system boundary router (ASBR).
Open Shortest Path First (OSPF) 42 Command Usage • • • • • • An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router (which is not already part of the backbone) must be connected to the backbone via a direct connection or a virtual link. Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area.
42 IP Routing Commands Command Mode Router Configuration Default Setting No stub is configured. Summary advertisement are sent into the stub. Command Usage • • • • • All routers in a stub must be configured with the same area ID using this command. Routing table space is saved in a stub by blocking Type-4 AS summary LSAs and Type 5 external LSAs.
Open Shortest Path First (OSPF) 42 • default-information-originate - When the router is an NSSA Area Border Router (ABR) or an NSSA Autonomous System Boundary Router (ASBR), this parameter causes it to generate a Type-7 default LSA into the NSSA. This default provides a route to other areas within the AS for an NSSA ABR, or to areas outside the AS for an NSSA ASBR. Command Mode Router Configuration Default Setting No NSSA is configured.
42 IP Routing Commands area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
Open Shortest Path First (OSPF) 42 the same for all routers attached to an autonomous system. (Range: 1-65535 seconds; Default: 4 x hello interval, or 40 seconds) • hello-interval seconds - Specifies the transmit delay between sending hello packets. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase the routing traffic. This value must be the same for all routers attached to an autonomous system.
42 IP Routing Commands Example This example creates a virtual link using the defaults for all optional parameters. Console(config-router)#network 10.4.0.0 0.255.255.0.0 area 10.4.0.0 Console(config-router)#area 10.4.0.0 virtual-link 10.4.3.254 Console(config-router)# This example creates a virtual link using MD5 authentication. Console(config-router)#network 10.4.0.0 0.255.255.0.0 area 10.4.0.0 Console(config-router)#area 10.4.0.0 virtual-link 10.4.3.
Open Shortest Path First (OSPF) 42 authentication key. Without the proper key and key-id, it is nearly impossible to produce any message that matches the pre-specified target message digest. • Before specifying plain-text password authentication for an interface, configure a password with the ip ospf authentication-key command. Before specifying MD5 authentication for an interface, configure the message-digest key-id and key with the ip ospf message-digest-key command.
42 IP Routing Commands Example This example sets a password for the specified interface. Console(config)#interface vlan 1 Console(config-if)#ip ospf authentication-key badboy Console(config-if)# Related Commands ip ospf authentication (42-32) ip ospf message-digest-key This command enables message-digest (MD5) authentication on the specified interface and to assign a key-id and key to be used by neighboring routers. Use the no form to remove an existing key.
Open Shortest Path First (OSPF) 42 Example This example sets a message-digest key identifier and password. Console(config)#interface vlan 1 Console(config-if)#ip ospf message-digest-key 1 md5 aiebel Console(config-if)# Related Commands ip ospf authentication (42-32) ip ospf cost This command explicitly sets the cost of sending a packet on an interface. Use the no form to restore the default value. Syntax ip ospf cost cost no ip ospf cost cost - Link metric for this interface.
42 IP Routing Commands ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. Syntax ip ospf dead-interval seconds no ip ospf dead-interval seconds - The maximum time that neighbor routers can wait for a hello packet before declaring the transmitting router down. This interval must be set to the same value for all routers on the network.
Open Shortest Path First (OSPF) 42 Command Usage Hello packets are used to inform other routers that the sending router is still active. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase routing traffic.
42 IP Routing Commands ip ospf retransmit-interval This command specifies the time between resending link-state advertisements (LSAs). Use the no form to restore the default value. Syntax ip ospf retransmit-interval seconds no ip ospf retransmit-interval seconds - Sets the interval at which LSAs are retransmitted from this interface.
Open Shortest Path First (OSPF) 42 Command Usage • LSAs have their age incremented by this delay before transmission. When estimating the transmit delay, consider both the transmission and propagation delays for an interface. Set the transmit delay according to link speed, using larger values for lower-speed links. • If this delay is not added, the time required to transmit an LSA over the link is not taken into consideration by the routing process.
42 IP Routing Commands Table 42-9 show ip ospf - display description (Continued) Field Description Number of interfaces The number of interfaces attached to this area SPF algorithm executed The number of times the shortest path first algorithm has been executed for this area show ip ospf border-routers This command shows entries in the routing table that lead to an Area Border Router (ABR) or Autonomous System Boundary Router (ASBR).
Open Shortest Path First (OSPF) 42 show ip ospf database This command shows information about different OSPF Link State Advertisements (LSAs) stored in this router’s database.
42 IP Routing Commands Command Mode Privileged Exec Examples The following shows output for the show ip ospf database command. Console#show ip ospf database Displaying Router Link States(Area 10.1.0.0) Age Seq# Checksum Link ID ADV Router --------------- --------------- ------ ----------- ----------10.1.1.252 10.1.1.252 26 0X80000005 0X89A1 10.1.1.253 10.1.1.253 23 0X80000002 0X8D9D Displaying Net Link States(Area 10.1.0.
Open Shortest Path First (OSPF) 42 The following shows output when using the asbr-summary keyword. Console#show ip ospf database asbr-summary OSPF Router with id(10.1.1.253) Displaying Summary ASB Link States(Area 0.0.0.0) LS age: 433 Options: (No TOS-capability) LS Type: Summary Links (AS Boundary Router) Link State ID: 192.168.5.1 (AS Boundary Router's Router ID) Advertising Router: 192.168.1.5 LS Sequence Number: 80000002 LS Checksum: 0x51E2 Length: 32 Network Mask: 255.255.255.
42 IP Routing Commands The following shows output when using the database-summary keyword. Console#show ip ospf database database-summary Area ID (10.1.0.
Open Shortest Path First (OSPF) 42 The following shows output when using the external keyword. Console#show ip ospf database external OSPF Router with id(192.168.5.1) (Autonomous system 5) Displaying AS External Link States LS age: 433 Options: (No TOS-capability) LS Type: AS External Link Link State ID: 10.1.1.253 (External Network Number) Advertising Router: 10.1.2.254 LS Sequence Number: 80000002 LS Checksum: 0x51E2 Length: 32 Network Mask: 255.255.0.
42 IP Routing Commands The following shows output when using the network keyword. Console#show ip ospf database network OSPF Router with id(10.1.1.253) Displaying Net Link States(Area 10.1.0.0) Link State Data Network (Type 2) ------------------------------LS age: 433 Options: Support External routing capability LS Type: Network Links Link State ID: 10.1.1.252 (IP interface address of the Designated Router) Advertising Router: 10.1.1.
Open Shortest Path First (OSPF) 42 The following shows output when using the router keyword. Console#show ip ospf database router OSPF Router with id(10.1.1.253) Displaying Router Link States(Area 10.1.0.0) Link State Data Router (Type 1) ------------------------------LS age: 233 Options: Support External routing capability LS Type: Router Links Link State ID: 10.1.1.252 (Originating Router's Router ID) Advertising Router: 10.1.1.
42 IP Routing Commands Table 42-16 show ip ospf router - display description (Continued) Field Description Number of TOS metrics Type of Service metric – This router only supports TOS 0 (or normal service) Metrics Cost of the link The following shows output when using the summary keyword. Console#show ip ospf database summary OSPF Router with id(10.1.1.253) Displaying Summary Net Link States(Area 10.1.0.
Open Shortest Path First (OSPF) 42 show ip ospf interface This command displays summary information for OSPF interfaces. Syntax show ip ospf interface [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Command Mode Privileged Exec Example Console#show ip ospf interface vlan 1 Vlan 1 is up Interface Address 10.1.1.253, Mask 255.255.255.0, Area 10.1.0.0 Router ID 10.1.1.253, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router id 10.1.1.252, Interface address 10.1.
42 IP Routing Commands show ip ospf neighbor This command displays information about neighboring routers on each interface within an OSPF area. Syntax show ip ospf neighbor Command Mode Privileged Exec Example Console#show ip ospf neighbor ID Pri State Address --------------- ------ ---------------- --------------10.1.1.252 1 FULL/DR 10.1.1.
Open Shortest Path First (OSPF) 42 show ip ospf summary-address This command displays all summary address information. Syntax show ip ospf summary-address Command Mode Privileged Exec Example This example shows a summary address and associated network mask. Console#show ip ospf summary-address 10.1.0.0/255.255.0.0 Console# Related Commands summary-address (42-24) show ip ospf virtual-links This command displays detailed information about virtual links.
42 42-52 IP Routing Commands
Section IV:Appendices This section provides additional information on the following topics. Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendices
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS+, Port (802.
A Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping IP Routing ARP, Proxy ARP Static routes RIP, RIPv2 and OSPFv2 dynamic routing VRRP (Virtual Router Redundancy Protocol) Additional Features BOOTP client CIDR (Classless Inter-Domain Routing) SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management
Management Information Bases A IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet (fiber and short-haul copper) Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging IEEE 802.
A Software Specifications IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) MAU MIB (RFC 3636) MIB II (RFC 1213) OSPF MIB (RFC 1850) Port Access Entity MIB (IEEE 802.
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol (ARP) ARP converts between IP addresses and MAC (i.e., hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Glossary Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options. Extended Universal Identifier (EUI) An address format used by IPv6 to identify the host portion of the network address.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary Internet Control Message Protocol (ICMP) A network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services.
Glossary MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Glossary Quality of Service (QoS) QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow.
Glossary Spanning Tree Algorithm (STA) A technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP.
Glossary device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index Numerics 802.1Q tunnel 11-12, 34-14 configuration, guidelines 11-15, 34-14 configuration, limitations 11-15 description 11-12 ethernet type 11-16, 34-16 interface configuration 11-16, 11-17, 34-15–34-16 mode selection 11-17, 34-15 status, configuring 11-16, 34-15 TPID 11-16, 34-16 uplink 11-17, 34-15 802.
Index name server list 16-1, 38-4 static entries 16-3, 38-1 Domain Name Service See DNS downloading software 4-22, 23-11 DSA encryption 6-12, 25-20 DSCP enabling 13-7, 35-10 mapping priorities 13-10, 35-10 dynamic addresses, displaying 9-2, 31-3 Dynamic Host Configuration Protocol See DHCP E edge port, STA 10-12, 10-14, 33-13 encryption DSA 6-12, 25-20 RSA 6-12, 25-20 engine ID 5-7, 5-8, 24-8 event logging 4-30, 23-26 F firmware displaying version 4-3, 23-8 upgrading 4-22, 23-11 G GARP VLAN Registration
Index general prefix 4-12, 4-15, 41-8 global unicast 4-11, 41-9 link-local 4-11, 41-13 manual configuration (global unicast) 2-8, 4-11, 41-9 manual configuration (link-local) 2-8, 4-11, 41-13 setting 2-7, 4-9, 41-1 J jumbo frame 4-21, 23-9 K key, user public, importing 6-12, 23-11 L LACP configuration 8-8, 28-1 local parameters 8-14, 28-7 partner parameters 8-16, 28-7 protocol message statistics 28-7 protocol parameters 8-10, 28-1 Link Aggregation Control Protocol See LACP Link Layer Discovery Protocol
Index AS summary route 20-33, 42-24 autonomous system boundary router 20-16, 42-22 backbone 20-19, 42-27 default external route 20-17, 42-21 general settings 20-15, 42-18 normal area 20-19, 42-26 NSSA 20-19, 42-28 redistributing external routes 20-35, 42-25 stub 20-19, 42-27 transit area 20-19, 42-30 virtual link 20-29, 42-30 P password, line 23-19 passwords 2-7 administrator setting 6-1, 25-2 path cost 10-3, 10-12 method 10-7, 33-6 STA 10-3, 10-12, 33-6 port authentication 6-18, 25-26 port priority config
Index software displaying version 4-3, 23-8 downloading 4-22, 23-11 Spanning Tree Protocol See STA specifications, software A-1 SSH, configuring 6-8, 25-18, 25-19 STA 10-1, 33-1 edge port 10-12, 10-14, 33-13 global settings, configuring 10-6, 33-2–33-7 global settings, displaying 10-3, 33-18 interface settings 10-10, 10-19, 10-20, 33-12–33-17, 33-18 link type 10-12, 10-14, 33-15 path cost 10-3, 10-12, 33-12 path cost method 10-7, 33-6 port priority 10-12, 33-13 protocol migration 10-15, 33-17 transmission l
Index authentication 18-4, 40-3 configuration settings 18-2, 40-1 group statistics 18-8, 40-6 preemption 18-3, 18-4, 40-5 priority 18-3, 18-4, 40-3 protocol message statistics 18-7, 40-9 timers 18-4, 40-4 virtual address 18-2, 18-4, 40-2 Index-6 W web interface access requirements configuration buttons home page 3-2 menu list 3-4 panel display 3-3 3-1 3-3
IC40240-10G IC40480-10G