Dell PowerEdge VRTX Switch Modules R1-2401 and R1-2210 User Guide Regulatory Model: E12M Regulatory Type: E12M001, E12M002
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed.indicates either potential damage to hardware, or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. ____________________ © Copyright © 2014 Dell Inc. All rights reserved.
Contents 1 Preface 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Version 6 (IPv6) Support . . . . . . . . . . . . . . . Head of Line Blocking Prevention . Back Pressure Support 14 . . . . . . . . . . . . . . . . . 14 14 . . . . . . . . . . . . . . . . . . . . 14 . . . . . . . . . . . . . . . . . . . 15 . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . . . .
Proprietary Protocol Filtering UDLD . . . . . . . . . . . . . . 28 . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Static Routing IPv6 Router . . . . . . . . . . . . . . . . . . . . . . . 29 . . . . . . . . . . . . . . . . . . . . . . . 29 3 Hardware Overview . 4 Initial Configuration of the Switch 5 Using the CLI Using the CLI . . . . . . . . . . . . . . . . . . . . 37 . . . . . . . . . . . . . . . . . . . . . 41 . . . . . . . . . . . . . . . . . . . . . .
Using the Network Administrator Buttons Field Definitions . . . . . . . 60 . . . . . . . . . . . . . . . . . . . . . 61 Common GUI Features . GUI Terms 7 . . . . . . . . . . . . . . . . . 62 . . . . . . . . . . . . . . . . . . . . . . . . 63 Configuring System Information General . . . . . . . . 65 . . . . . . . . . . . . . . . . . . . . . . . . . 65 Time Synchronization Logs . . . . . . . . . . . . . . . . . . 71 . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 . . . . . . . .
9 Network Security . . . . . . . . . . . . . . . . . . 227 . . . . . . . . . . . . . . . . . . . . . . 227 . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Port Security ACLs ACL Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 . . . . . . . . . . . . . . . . . . . . . . 250 Proprietary Protocol Filtering Time Range . . . . . . . . . . . . . . . . . . 253 . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Dot1x Authentication. 10 Ports .
Dynamic Address Table 12 GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . 307 307 . . . . . . . . . . . . . . . . . . . . . . . . GARP Timers . 308 . . . . . . . . . . . . . . . . . . . . . . 13 Spanning Tree Overview . 303 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 311 . . . . . . . . . . . . . . . . . . . . . . . . Global Settings. 313 . . . . . . . . . . . . . . . . . . . . . STP Port Settings . . . . . . . . . . . . . . . . . . .
Private VLAN . Voice VLAN . . . . . . . . . . . . . . . . . . . . . 354 . . . . . . . . . . . . . . . . . . . . . . 356 15 Link Aggregation Overview . . . . . . . . . . . . . . . . . . . 363 . . . . . . . . . . . . . . . . . . . . . . . 363 LACP Parameters . . . . . . . . . . . . . . . . . . . 364 LAG Membership . . . . . . . . . . . . . . . . . . . . 366 16 Multicast Support Overview . . . . . . . . . . . . . . . . . . 369 . . . . . . . . . . . . . . . . . . . . . . .
MED Network Policy MED Port Settings . . . . . . . . . . . . . . . . . . 400 . . . . . . . . . . . . . . . . . . . . 402 Neighbors Information . 18 UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . 409 UDLD Neighbors . 414 . . . . . . . . . . . . . . . . . . UDLD Interface Settings . . . . . . . . . . . . . . . . . 417 . . . . . . . . . . . . . . . . . . . . 418 19 Dynamic ARP Inspection . . . . . . . . . . . 421 421 . . . . . . . . . . . . . . . . . . . . . . . .
21 Statistics/RMON . . . . . . . . . . . . . . . . . . 445 . . . . . . . . . . . . . . . . . . . . . . 445 RMON . . . . . . . . . . . . . . . . . . . . . . . . . 455 Charts . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Table Views 22 Quality of Service . . . . . . . . . . . . . . . . . 471 . . . . . . . . . . . . . . . . . . . . . . . 471 . . . . . . . . . . . . . . . . . . . . . . . . 473 Overview . General . QoS Basic Mode . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Preface The VRTX Switch Modules R1-2401 and R1-2210 devices are modular switches that are installed in the Dell PowerEdge VRTX chassis. This guide contains the information needed for installing, configuring, and maintaining these devices through the web-based network administrator. In addition, it describes a subset of the CLI available of the GUI features.
Preface
2 Features This section describes the features of the R1-2401 and R1-2210 devices. For a complete list of all updated device features, see the latest software version Release Notes at dell.com/support.
• Static Routing • IPv6 Router • sFlow IP Version 6 (IPv6) Support The device functions as an IPv6-compliant host, as well as an IPv4 host (also known as dual stack). This enables device operation in a pure IPv6 network as well as in a combined IPv4/IPv6 network. For more information, see IPv6 Addressing. Head of Line Blocking Prevention Head of Line (HOL) blocking results in traffic delays and frame loss caused by traffic competing for the same egress port resources.
The R1-2401 1Gb and R1-2210 10G VRTX switches enhance autonegotiation by providing port advertisement. Port advertisement enables the system administrator to configure the port speeds that are advertised. For more information, see Port Configuration or LAG Configuration. MDI/MDIX Support Standard wiring for end stations is known as Media-Dependent Interface (MDI), and standard wiring for hubs and switches is known as MediaDependent Interface with Crossover (MDIX).
Automatic Aging for MAC Addresses MAC addresses from which no traffic is received for a given period, are aged out. This prevents the Bridging Table from overflowing. For more information, see Dynamic Address Table. VLAN-Aware MAC-Based Switching The device always performs VLAN-aware bridging. Classic bridging (IEEE802.1D), in which frames are forwarded based only on their destination MAC address, is not performed. However, a similar functionality can be configured for untagged frames.
MLD Snooping Multicast Listener Discovery (MLD) Snooping performs the function of IGMP Snooping for IPv6. For more information, see MLD Snooping. Port and VLAN Mirroring Port and VLAN mirroring monitors network traffic by forwarding copies of incoming and outgoing packets from a monitored port to a monitoring port. Users specify which target port receives copies of all traffic passing through a specified source port. For more information, see Port and VLAN Mirroring.
Full 802.1Q VLAN Tagging Compliance IEEE 802.1Q defines an architecture for virtual, bridged LANs, the services provided in VLANs, and the protocols and algorithms involved in the provision of these services. For more information, see Overview. GVRP Support GARP VLAN Registration Protocol (GVRP) provides IEEE 802.1Qcompliant VLAN pruning and dynamic VLAN creation on 802.1Q trunk ports.
Private VLAN The Private VLAN feature provides Layer 2 isolation between ports that share the same Broadcast domain, or in other words, it creates a point-tomultipoint Broadcast domain. The ports can be located anywhere in the Layer 2 network. For more information, see Private VLAN. Multicast TV VLAN The Multicast TV VLAN feature provides the ability to supply multicast transmissions to Layer 2-isolated subscribers, without replicating the multicast transmissions for each subscriber VLAN.
IEEE 802.1w Rapid Spanning Tree Spanning Tree takes 30–60 seconds for each host to decide whether its ports are actively forwarding traffic. Rapid Spanning Tree (RSTP) detects uses of network topologies to enable faster convergence, without creating forwarding loops. For more information, see Spanning Tree. IEEE 802.1s Multiple Spanning Tree Multiple Spanning Tree (MSTP) operation maps VLANs into STP instances. MSTP provides a different load balancing scenario.
A LAG is composed of ports with the same speed, set to full-duplex operation. For more information, see LAG Configuration. Link Aggregation and LACP LACP uses peer exchanges across links to determine, on an ongoing basis, the aggregation capability of various links, and continuously provides the maximum level of aggregation capability achievable between a given pair of devices. LACP automatically determines, configures, binds, and monitors the port binding within the system.
The switch can set DSCP values and map IPv6 DSCP to egress queues in the same way it does for IPv4. The switch detects IPv6 frames by the IPv6 ethertype. For more information about Advanced QoS, see QoS Advanced Mode. TCP Congestion Avoidance The TCP Congestion Avoidance feature activates an algorithm that breaks up or prevents TCP global synchronization on a congested node, where the congestion is due to multiple sources sending packets with the same byte count.
Management IP Address Conflict Notification This feature validates the uniqueness of the switch's IP address, whether it is assigned manually or through DHCP. If the IP address is not unique, the switch performs actions according to the address type. See IP Addressing. Configuration File Download and Upload The device configuration is stored in a configuration file. The configuration file includes both system-wide and port-specific device configuration.
Command Line Interface Command Line Interface (CLI) syntax and semantics conform as much as possible to common, industry standards. CLI is composed of mandatory and optional elements. The CLI interpreter provides command and keyword completion to assist users and save typing. SYSLOG Syslog is a protocol that enables event notifications to be sent to a set of remote servers, where they can be stored, examined, and acted upon.
(TLV) field. LLDP devices must support chassis and port ID advertisement, as well as system name, system ID, system description, and system capability advertisements. LLDP Media Endpoint Discovery (LLDP-MED) increases network flexibility by enabling various IP systems to co-exist on a single network LLDP. It provides detailed network topology information, emergency call service via IP phone location information, and troubleshooting information. For more information, see LLDP.
RADIUS Client RADIUS is a client/server-based protocol. A RADIUS server maintains a user database that contains per-user authentication information, such as user name, password, and accounting information. RADIUS Accounting This feature enables recording device management sessions (Telnet, serial, and WEB but not SNMP) and/or 802.1x authentication sessions. Due to the complexity of 802.1x setup and configuration, many mistakes can be made that might cause loss of connectivity or incorrect behavior.
The switch provides the ability to demand strong passwords, meaning that they must contain both upper and lower-case letters, numbers, and punctuation marks. For more information, see Password Management. Access Control Lists (ACL) Access Control Lists (ACL) enable network managers to define classification actions and rules for specific ingress ports. Packets entering an ingress port with an active ACL, are either admitted or denied entry and the ingress port is disabled.
ARP Inspection Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-inthe-middle attacks. For more information, see Dynamic ARP Inspection. Port Profile (CLI Macro) Macros provide a convenient way to save and share a common configuration. A macro is a set of CLI commands with a unique name.
Static Routing Static routing enables the user to define a routing table manually. For more information, see IPv4 Routes Table (Advanced Mode). IPv6 Router For more information, see IPv6 Router.
Features
3 Hardware Overview This section describes the device hardware.
Switch Layout Figure 3-1 shows the R1-2401/R1-2210 devices within the chassis. Figure 3-1. R1-2401/R1-2210 Fan Trays Blade Servers Shared Storage Power Supplies R1-2401/R1-2210 Ports The devices have five groups of ports, numbered 0-4. Group 0 contains the external ports and groups 1-4 contain the internal ports that are connected to blade servers 1-4.
• 10G Ethernet Ports: tengigabitethernet group/port_number or te group/port_number In addition, the switch supports an Out-of-Band (OOB) port that is connected to the management network of the chassis. Port Types The following ports are found on the R1-2401 switch: • • 24 x 1G Ethernet Ports.
Table 3-1. R1-2401 Port Mapping Table Port Type and Number Software Port Naming Convention in CLI/WEB Internal 1G ports 13-16/server slot 4 gi4/1.... gi4/4 Out-of-Band port oob Table 3-2. R1-2210 Port Mapping Table Port Type and Number Software Port Naming Convention in CLI/WEB External 10G ports 1-4/server slot 0 te0/1.... te0/4 External 1G ports 1-2/server slot 0 gi0/1.... gi0/2 Internal 10G ports 1-4/server slot 1 te1/1.... te1/4 Internal 10G ports 5-8/server slot 2 te2/1....
Table 3-3. System LEDs on R1-2401 and R1-2210 State of Switch Status LED Power LED (Green) Description Booting Off On Boot in progress. Identify Blue Blink 1 HZ On CMC is identifying the switch Table 3-4. R1-2401 External Port LEDs LED Color Link Off — No link Solid green — Link at 1G speed Solid amber — Link at 10/100M speed Activity Off — No link Blinking green — Traffic is being received/forward Table 3-5.
Hardware Overview
4 Initial Configuration of the Switch This section describes how to initially configure the Dell VRTX 1Gb and 10Gb switch modules. NOTE: Before proceeding further, read the latest documentation and release notes for this product, which can be downloaded from the Dell Support website at dell.com/support. To logon to the switch after it is inserted into the chassis, perform the following: 1 Turn on the chassis.
Table 4-1 describes the major switch defaults: Table 4-1. Major System Defaults Feature Defaults SNMP Enabled. SNMP version: V3. SNMP Local Engine ID: 0000000001. SNMP Notifications: Enabled. Login and Authentication Telnet authentication login is from the local user data base. HTTP authentication login is from the local data base. HTTPS authentication login is from the local data base. Authentication Servers No RADIUS server is defined. No TACACS server is defined.
Table 4-1. Major System Defaults Feature Defaults Default IP Address DHCP enabled by default; If DHCP is disabled, the default IP address of 192.168.2.1 over the OOB interface is used. Default system mode (for VRTX 1Gb only) Layer 2 NOTE: CLI and/or GUI need only be used if the default configuration is not sufficient. The switch can be configured in the following modes from the GUI: • Basic — Elementary network configuration for the switch.
Initial Configuration of the Switch
5 Using the CLI This section describes how to perform various configuration operations through the Command Line Interface CLI. It includes the following topics: • Using the CLI • CLI Command Conventions • Accessing the Device Through the CLI • Retrieving an IP Address • Security Management and Password Configuration • Configuring Login Banners • Startup Menu Procedures • Software Download Using the CLI This section provides some general information for using the CLI.
These modes are described below. User EXEC Mode During CLI session initialization, the CLI is in User EXEC mode. Only a limited subset of commands is available in User EXEC mode. This level is reserved for tasks that do not change the terminal configuration and is used to access configuration sub-systems. After logging into the device, User EXEC command mode is enabled. The user-level prompt consists of the host name followed by the angle bracket (>).
The Privileged EXEC mode prompt displays as the device host name followed by #. For example: console# To list the Privileged EXEC commands, type a question mark at the command prompt. To return from Privileged EXEC mode to User EXEC mode, type disable and press . The following example illustrates accessing privileged EXEC mode and then returning to the User EXEC mode: console> enable Enter Password: ****** console# console# disable console> Use the exit command to return to a previous mode.
Interface Configuration Mode The Interface Configuration mode configures the device at the physical interface level (port, VLAN, or LAG). Interface commands that require subcommands have another level, called the Subinterface Configuration mode. A password is not required to access this level. The following example places the CLI in Interface Configuration mode on port gi0/1. The sntp command is then applied to that port.
Button Description Any individual key on the keyboard. For example click . Ctrl+F4 Any combination of keys clicked simultaneously, for example: Ctrl and F4. Screen Display Indicates system messages and prompts appearing on the console. all When a parameter is required to define a range of ports or parameters and all is an option, the default for the command is all when no parameters are defined.
Retrieving an IP Address By default, the switch receives its IP address dynamically via a DHCP server for the OOB port interface, although it can also be configured statically. If the DHCP server is not accessible, the OOB uses the default IP address 192.168.2.1. After a static or DHCP IP address is assigned on the OOB interface, the default IP address is removed. The in-band IP address can also be received from a DHCP server or configured statically. This IP address can be removed at any time.
3 Type the following to verify the IP address: console# show ip interface IP Address I/F I/F Status Type Directed admin/oper Precedence Status Broadcast ---------------------------------------------------------------------0.0.0.0/32 oob UP/DOWN DHCP disable 10.5.229.
NOTE: When creating a user name, the default priority is 1, which provides access but not configuration rights. A priority of 15 must be set to enable access and configuration rights to the device. Although user names can be assigned privilege level 15 without a password, it is recommended to always assign a password. If there is no specified password, privileged users can access the Web interface with any password.
NOTE: When using this option, the switch configuration will be restored to factory default configuration. Through the Startup Menu To enter the switch without a password through the Setup Menu, see Password Recovery Procedure [3].
Enter the following commands once when configuring use of a terminal, a Telnet, or an SSH session, for an HTTPS session. NOTE: In the Web browser, enable SSL 2.0 or greater for the page content to be displayed.. console(config)# crypto certificate 1 generate key-generate console(config)# ip http secure-server NOTE: HTTP and HTTPS services require privilege level 15 and connect directly to the configuration-level access.
• Login Banner — Displayed after the Message-of-the-Day Banner, and before the user has logged in. The following defines a login banner for the console: console# configure console(config)# line console console(config-line)# login-banner console(config-line)# exit console (config)# banner login * Please log in* console# do show banner login Banner: Login Please log in console(config)# • Exec Banner — Displayed after successful login (in all privileged levels and in all authentication methods).
To enter the Startup menu: 1 On the R1-2401, login to the CMC console CLI. On the R1-2210, connect to the external UART (console). 2 On the R1-2401, enter command connect switch-1. This step is not necessary for the R1-2210. 3 Login to the switch console CLI prompt. 4 Type reload and select Y to continue. The switch reloads. 5 When the prompt: Autoboot in 2 seconds - press RETURN or ESC to abort displays, press RETURN or ESC. The boot menu will now display.
To download software through the Startup menu: 1 From the Startup menu, press [1]. The following prompt is displayed: Downloading code using XMODEM !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2 When using the HyperTerminal, click Transfer on the HyperTerminal Menu Bar and select Send File. 3 In the Filename field, enter the file path for the file to be downloaded. 4 Ensure that the Xmodem protocol is selected in the Protocol field. 5 Press Send. The software is downloaded.
Password Recovery Procedure [3] The following describe how to access the switch if a user-defined password has been lost. To perform password recovery through the Startup menu perform the following: 1 From the Startup menu select option [3] Password Recovery and Enter. Selecting Enter causes the request for the current password to be ignored after the boot continues. 2 Select [5] Back. 3 The boot process continues and ignores the password prompt. 4 Update password.
On the next boot, the device decompresses and runs the image from the currently-active system image. A system image can be downloaded through a TFTP server. To download the system image from a TFTP server, ensure that an IP address is configured on the device and pings can be sent to the TFTP server. In addition, ensure that the file to be downloaded is saved on that TFTP server.
4 When the new image is downloaded, it is saved in the area allocated for the alternative copy of the system image (image-2, as shown in the example). The following is an example of the information that is displayed: console# copy tftp://176.215.31.3/r2401-100048.ros image Accessing file ‘r2401-100048’ on 176.215.31.3Ö Loading r2401-100048 from 176.215.31.3: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Copy took 00:01:11 [hh:mm:ss] Exclamation symbols indicate that a copying process is in progress.
Boot Image Download Loading a new boot image from the TFTP server, updates the boot image. The boot image is loaded when the device is powered on. A user has no control over the boot image copies. To download a boot image through the TFTP server: 1 Enter the show version command to verify which software version is currently running on the device. The following is an example of the information that is displayed: console# show version SW version 1.0.0.17 ( date Boot version 1.0.0.
Using the CLI
6 Network Administrator This section describes how to manage the R1-2401 and R1-2210 devices using the web-based Network Administrator. It contains the following topics: • Starting the Application • Understanding the Interface • Using the Network Administrator Buttons • Field Definitions • Common GUI Features • GUI Terms Starting the Application NOTE: Before starting the application the IP address must be defined. For more information, see Accessing the Device Through the CLI.
under a specific feature, or closed to hide the feature's components. By dragging the vertical bar to the right, the tree area can be expanded to display the full name of a component. • Components List — Located in the bottom center of the home page, contains a list of the feature components. When a feature is expanded, the GUI page for that feature is displayed. • Information Buttons— Located at the top of the home page, provide access to information about the device and access to Dell Support.
Device Management Icons Table 6-2 describes the device management buttons. Table 6-2. Device Management Icons Button Icon Description Apply&Save Saves changes to the Running and Startup Configuration files. Help Open online help. The online help pages are context-sensitive. For example, if the IP Addressing page is open, the help topic for that page is displayed when Help is clicked. Print Prints the Network Management System page and/or table information.
Common GUI Features Table 6-3 describes the common functions that can be performed on many GUI pages. Table 6-3. Common GUI Elements Button Description Apply Save changes entered in GUI page to the Running Configuration file. Back Go to previous page. Cancel Cancel changes entered in GUI page. Clear All Counters Delete counters. Clear Counters Delete selected counters. Clear Log Delete entries from log. Clear Statistics Delete statistics.
GUI Terms Each GUI page in the tree view is described in the following sections. A brief introduction is provided along with steps specifying how to enter information in the page. The following terms are used: • Enter — Indicates that information may be entered in the field. It does not imply that the field is mandatory. • Select — Indicates that information may be selected from a drop-down list or from radio buttons. • Displays — Indicates that the field is display only.
Network Administrator
Configuring System Information 7 This section describes how to set system parameters, such as security features, switch software, system time, logging parameters and more. It contains the following topics: • General • Time Synchronization • Logs • IPv4 Addressing • IPv6 Addressing • Domain Name • Diagnostics • Management Security • SNMP • File Management • sFlow General This section describes how to view and set general switch parameters.
1 Click System > General > Asset in the tree view to display the Asset page. 2 Enter/view the parameters: – System Name (0-159 Characters) — Enter the user-defined device name. – System Contact (0-159 Characters) — Enter the name of the contact person. – System Location (0-159 Characters) — Enter the location where the system is currently running. – MAC Address — Displays the device MAC address. – OOB MAC Address — Displays the MAC address of the Out-of-Band port.
Entering Asset Information Using the CLI Commands The following table summarizes the CLI commands for entering fields displayed on the Asset page. Table 7-1. Asset CLI Command CLI Command Description snmp-server contact text Configures the system contact (sysContact) name. no snmp-server contact snmp-server location text no snmp-server location Use the no form of the command to remove the system contact information. Configures the system location string.
This page displays the temperature of each sensor, as follows: – – – – – Ambient 1— Temperature surrounding the switch. • Current Temperature (Celsius) — Current temperature around the switch. • Target Temperature (Celsius) — Maximum temperature allowed around the switch. Switch Temperature Sensor (Only for R1-2401)— Temperature inside the switch. • Current Temperature (Celsius) — Current temperature inside the switch.
– Component 4 (Only for R1-2210)—Temperature inside the PHY Thermal sensor (88E1514 (U22)): • Current Temperature (Celsius) — Current temperature inside the component. • Target Temperature (Celsius) — Maximum temperature allowed inside the component. Table 7-2.
The following is an example of the output of the CLI command (on the R12210): console# show system sensor Temperature Sensor Type Current Temperature (C) Target Temperature (C) ----------------------- ----------------------- ---------------Ambient 1 31 Component 1 52 70 95 Component 2 27 90 Component 3 25 105 Component 4 25 105 System Routing Mode The R1-2401 device can be in either Layer 2 mode or Layer 2+ Static Routing mode. The R1-2210 device is always in Layer 2+ Static Routing mode.
Time Synchronization The system clock runs from the moment the system starts up, and keeps track of the date and time. The date and time may be either set manually, or it may be received from an SNTP server. If an external clock source, or an SNTP time server is not defined, the manual clock setting is not persistent across boots.
Defining the Clock Source Using CLI Commands The following table summarizes the CLI commands for setting the clock source. Table 7-5. Clock Source CLI Command CLI Description clock source sntp Configures an external time source for the system clock. no clock source Use the no form of this command to disable the external time source. show clock [detail] Displays the time and date from the system clock and its source.
DST Start and End Times The following is a list of DST start and end times in various countries: • Albania — Last weekend of March until the last weekend of October. • Australia — From the end of October until the end of March. • Australia - Tasmania — From beginning of October until the end of March. • Armenia — Last weekend of March until the last weekend of October. • Austria — Last weekend of March until the last weekend of October. • Bahamas — From April to October, in conjunction with U.S.
• India — India does not operate Daylight Saving Time. • Iran — From 1st Farvardin until the 1st Mehr. • Iraq — From 1st April until 1st October. • Ireland — Last weekend of March until the last weekend of October. • Israel — Varies year-to-year. • Italy — Last weekend of March until the last weekend of October. • Japan — Japan does not operate Daylight Saving Time. • Jordan — Last weekend of March until the last weekend of October.
• Spain — Last weekend of March until the last weekend of October. • Sweden — Last weekend of March until the last weekend of October. • Switzerland — Last weekend of March until the last weekend of October. • Syria — From 31st March until 30th October. • Taiwan — Taiwan does not operate Daylight Saving Time. • Turkey — Last weekend of March until the last weekend of October. • United Kingdom — Last weekend of March until the last weekend of October.
There are two types of DST possible when Others is selected. You can set a specific date in a particular year, or you can set a recurring setting, irrespective of the year. For a specific setting in a particular year, complete the Daylight Savings area, and for a recurring setting, complete the Recurring area. If Other is selected, the From and To fields must be defined either in the Non-recurring or Recurring section.
• Time — The time at which DST ends every year. CLI Commands for Setting Manual Time The following steps (in any order) must be completed before setting time manually: • Set system time • Define the time zone in relation to GMT. • Configure Daylight Savings Time. The following table summarizes the CLI commands for setting fields displayed in the Manual Time Setting pages when the clock source is Local. Table 7-6.
Table 7-6. Manual Time Setting CLI Commands (continued) CLI Description clock timezone zone hours- Sets the time zone and names it "zone" for offset [minutes offset] display purposes. no clock timezone Use the no form of this command to set the time to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), which is the same. show clock Displays the time and date from the system clock. A sample script to set system time manually is shown below. Table 7-7.
System Time from an SNTP Server This section describes how to configure SNTP servers. It contains the following topics: • Overview • SNTP Global Settings • SNTP Authentication • SNTP Servers • SNTP Interface Settings Overview The switch supports the Simple Network Time Protocol (SNTP), which provides accurate network switch clock time synchronization of up to 100 milliseconds. The implementation of SNTP is based on SNTPv4 (RFC 2030).
If Unicast polling is not enabled or if no servers are defined on the device, the device accepts time information from any SNTP server of the type that is enabled, which responds. • Anycast Polling for Anycast information is used when the SNTP server’s IP address is not defined or it cannot be reached. If this method is enabled, time information can be received from any SNTP server on the network. The device time and date are synchronized when it proactively requests synchronization information.
• Stratum 1 — A server that is directly linked to a Stratum 0 time source is used. • Stratum 2 — The time source is distanced from the Stratum 1 server over a network path, for example, a Stratum 2 server receives the time over a network link, via NTP, from a Stratum 1 server. Algorithm for Selecting Designated SNTP Server Messages received from SNTP servers are logged, until there are three responding servers, or the timer expires. In any event, when the third message is received, the timer expires.
Authentication You can require that SNTP servers be authenticated, although this is not mandatory (see the SNTP Authentication pages). MD5 (Message Digest 5) Authentication safeguards device synchronization paths to SNTP servers. MD5 is an algorithm that produces a 128-bit hash value. MD5 is a variation of MD4, and increases MD4 security. MD5 both verifies the integrity of the communication and authenticates the origin of the communication.
Defining SNTP Global Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the SNTP Global Settings pages. Table 7-8. SNTP Global Parameters CLI Commands CLI Command Description sntp client poll timer seconds Sets the polling time for an SNTP client. no sntp client poll timer sntp broadcast client enable no sntp broadcast client enable Use the no form of this command to restore the default configuration. Enables SNTP Broadcast clients.
2 Enable/disable SNTP Authentication. This enables/disables authenticating SNTP sessions between the device and an SNTP server. 3 Multiple keys can be defined. To add a new SNTP authentication key, click Add, and enter the fields. – Encryption Key ID (1 - 4294967295) — Enter the number used to identify this SNTP authentication key internally. – Authentication Key (1 - 8 Characters) — Enter the key used for authentication. The SNTP server must send this key for the switch to use its time/date information.
The following is an example of the CLI commands: console(config)# sntp authenticate console(config)# sntp trusted-key 8 console(config)# sntp authentication-key 8 md5 Clkkey SNTP Servers To add an SNTP server or display SNTP server information: 1 Click System > Time Synchronization > SNTP Servers in the tree view to display the SNTP Servers: Summary page. The following is displayed for the previously-defined servers: – SNTP Server — IP address of server.
– Offset — The estimated offset of the server's clock, relative to the local clock, in milliseconds. The host determines the value of this offset, using the algorithm described in RFC 2030. – Delay — The estimated round-trip delay of the server's clock, relative to the local clock over the network path between them, in milliseconds. The host determines the value of this delay, using the algorithm described in RFC 2030.
Defining SNTP Servers Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the SNTP Server pages. Table 7-10. SNTP Server CLI Commands CLI Command Description sntp server {ip-address | hostname} [poll] [key keyid] Configures the device to use SNTP to request and accept SNTP traffic from a server.
The following is an example of the CLI commands: console(config)# sntp server 100.1.1.
2 To add an interface that can receive SNTP server updates, click Add. 3 Select an interface and enable/disable State to indicate that the interface can now receive/not receive SNTP server updates. Defining SNTP Interface Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the SNTP Interface Settings pages. Table 7-11.
Guide\Plasma_UGSystemConfig.fm The following is an example of the CLI commands: console# configure console(config)# sntp client enable gi0/1 console# exit console# configure console(config)# interface gi0/1 console(config-if)# sntp client enable console# show sntp configuration SNTP port: 123. Polling interval: 1024 seconds. No MD5 authentication keys. Authentication is not required for synchronization. No trusted keys.
CLI Script for Receiving Time from an SNTP Server The following is a sample script that configures receiving system time from an SNTP server. Table 7-12. Manual Time Setting CLI Commands CLI Description console(config)#clock source sntp Set the source of time as an SNTP server. console(config)#sntp client poll timer 6 Set polling time to 6 seconds. console(config)#sntp unicast client enable Enable accepting time from predefined Unicast clients.
Overview System logs record events and report errors or informational messages. Some aspects of system logging can be configured, as described below. Some events are automatically logged, such as hardware problems.
Global Parameters Use the Global Parameters page to enable/disable logging for the following logging severity levels. • Emergency — If the device is down or not functioning properly, an emergency log message is saved to the specified logging location. • Alert — An alert log is saved if there is a serious device malfunction, for example, all device features are down.
– Log Management Access Events — Enable/disable generating logs when the device is accessed using a management method, for example, each time the device is accessed using SSH, a device log is generated. 4 To select the destination of logging messages, according to their severity levels, check the minimum severity level that will be associated with the console log, RAM log, Log file (Flash memory) and remote SYSLOG servers.
Global Log Parameters CLI Commands (continued) Table 7-13. CLI Command Description aaa logging {login} Enables logging authentication login events. no aaa logging {login} Use the no form of this command to disable logging authentication login events.
Viewing and Clearing the RAM Log Table Using the CLI Commands The following table summarizes the CLI commands for setting the size of the RAM log buffer, viewing, and clearing entries in the RAM log. Table 7-14. RAM Log Table CLI Commands CLI Command Description logging buffered [buffer-size] [severity-level | severitylevel-name] Sets the number of SYSLOG messages stored in the internal buffer (RAM). no logging buffered Use the no form of this command to cancel using the buffer.
Displaying the Log File Table Using the CLI Commands The following table summarizes the CLI commands for setting fields displayed in the Log File page. Table 7-15. Log File Table CLI Commands CLI Command Description show logging file Displays the logging state and the SYSLOG messages stored in the logging file.
The following is an example of the CLI commands: console# show logging file Logging Header Sending is enabled. Logging is enabled. Console Logging: Level info. Console Messages: 0 Dropped. Buffer Logging: Level info. Buffer Messages: 62 Logged, 62 Displayed, 200 Max. File Logging: Level debug. File Messages: 11 Logged, 51 Dropped. SysLog server 1.1.1.1 Logging: info. Messages: 0 Dropped.
To enable user history logging and view user login history: 1 Click System > Logs > Login History in the tree view to display the Login History page. The login history for the selected user or all users is displayed. 2 Enable/disable Login History to File to record login history. 3 Select a user or All from the User Name drop-down list. The login history for this user is displayed in the following fields: • Login Time — The time the selected user logged on to the device.
The following is an example of the CLI commands: console (config)# aaa login-history file console# show users login-history Login Time Username Protocol Location ----------- -------- -------- ---------- 01-Oct-2010 23:58:17 admin HTTP 172.16.1.8 01-Oct-2010 07:59:23 admin Telnet 172.16.0.8 Remote Log Server Log messages can be sent to remote log servers, using the SYSLOG protocol.
– New Log Server IP Address — Enter the IP address of the remote SYSLOG server. – UDP Port (1-65535) — Enter the UDP port to which the logs are sent for the selected server. – Facility — Select a user-defined application from which system logs are sent to the remote server. Only a single facility can be assigned to a single server. If a second facility level is assigned, the first facility level is overridden. All applications defined for a device utilize the same facility on a server.
The following is an example of the CLI commands: console (configure) # logging host 1.1.1.1 console# show syslog-servers Device Configuration -------------------------------------------------------IP Address Port Description Facility Severity ----------- ----- -------- -----------1.1.1.1 514 local7 info 1.1.1.2 514 local7 info 1.1.1.3 514 local7 info 1.1.1.4 514 local7 info --------- Domain Name The Domain Name feature enables configuring the usage of site names in place of IP addresses.
To add a DNS server and specify the active DNS server: 1 Click System > Domain Name > Domain Name System in the tree view to display the Domain Name System: Summary page. The list of previously-defined DNS servers is displayed. 2 Enter the following fields: – DNS Status—Select Enable to enable mapping of host names into IP addresses through a DNS server. – Domain Name Query Interval(20-3600)— Enter how often DNS queries will be sent.
Configuring DNS Servers Using the CLI Commands The following table summarizes the CLI commands for configuring the fields in the Domain Name System pages. Table 7-18. DNS CLI Commands CLI Command Description ip domain lookup Enables DNS system for translating host names to IP addresses. no ip domain lookup Use the no form of this command to disable DNS-based host name-to-address translation.
To define the default domain name: 1 Click System > Domain Name > Default Domain Name to display the Default Domain Name page. If there is a currently-defined default domain name, it is displayed. 2 Enter the Default Domain Name (1 - 158 Characters). Its Type is displayed, and has one of the following options: – Dynamic — The IP address was created dynamically. – Static — The IP address is a static IP address.
3 For each IP address, enter the fields: – Supported IP Format — Select whether the IPv4 or IPv6 format is supported. – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported. The possible options are: – • Link Local — A Link Local address that is non-routable and used for communication on the same network only. • Global — A globally unique IPv6 address; visible and reachable from different subnets.
The following is an example of the CLI commands: console(config)# ip host accounting.abc.com 176.10.23.1 Diagnostics This section describes how to perform hardware tests on the device. It contains the following topics: • Integrated Cable Test • Optical Transceiver Diagnostics Integrated Cable Test NOTE: This feature is supported on the R1-2401 (all ports) and on the R1-2210 on external ports gi0/1-2.
– Cable Fault Distance — Displays the distance from the port where the cable error occurred. – Last Update — Displays the last time the port was tested. – Approximate Cable Length — Displays the approximate cable length. Performing Integrated Cable Tests Using CLI Commands The following table contains the CLI commands for performing integrated cable tests. Table 7-21. Integrated Cable Test CLI Commands CLI Command Description test cable-diagnostics tdr interface interface-id Performs VCT tests.
The Optical Transceiver Diagnostics page displays the operating conditions reported by the SFP (Small Form-factor Pluggable) transceiver. Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF-8472. This test can only be performed on external 10G ports. The following GE SFP (1000Mbps) transceivers are supported: • 1000BASE-BX-20U SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 40 km.
Performing Optical Transceiver Diagnostics Using CLI Commands The following table contains the CLI commands for performing Optical Transceiver Diagnostics tests. Table 7-22. Integrated Cable Test CLI Commands CLI Command Description show fiber-ports opticaltransceiver Displays the optical transceiver diagnostics.
Management Security This section describes the pages used to manage device security.
A specific management access method may be completely disabled by denying all user access to it (e.g. denying all users access to CLI/Telnet management effectively disables CLI/Telnet as an available management interface to the system). By default, management access to the system, through all methods, is enabled over all interfaces. NOTE: If you enable management access through a physical port, all VLANs and IP interfaces on this port will be acceptable management traffic sources.
3 To add a new profile, click Add, and enter the fields: – Access Profile Name (1-32 Characters) — Enter a name for the access profile. – Rule Priority (1-65535) — Enter the rule priority. Rules are applied to packets according to their priority. These can be viewed in the Profile Rules: Summary page. – Management Method — Select the management method to which the access profile is applied. Users using this management method are authenticated using this access profile.
• Permit — Permits access to the device. • Deny — Denies access to the device. Defining Access Profiles Using CLI Commands The following table contains the CLI command for defining an access profile, without its rules. The CLI commands for defining the rules are described in Defining Access Profile Rules Using CLI Commands. Table 7-23. Access Profile CLI Commands CLI Command Description management access-list name Defines an access-list for management.
Defining Access Profile Rules Using CLI Commands The following table summarizes the CLI commands for adding rules to access profiles. Table 7-24. Access Profiles CLI Commands CLI Command Description permit [interface-id] [service service] Sets port permit conditions for the management access list. permit ip-source {ipv4-address | Sets port permitting conditions for ipv6-address/prefix-length} the management access list, and the [mask {mask | prefix-length}] selected management method.
Guide\Plasma_UGSystemConfig.
User authentication occurs in the order that the methods are selected, for example, if both the Local and RADIUS options are selected, the user is authenticated first locally. If the local user database is empty, the user is authenticated via the RADIUS server. If an error occurs during the authentication, the next selected method is used. If an authentication method fails, or the user has an insufficient privilege level, the user is denied access to the switch.
• RADIUS — The user authentication is performed by the RADIUS server. For more information, see RADIUS. • TACACS+ — The user authentication is performed by the TACACS+ server. For more information, see TACACS+. • None — No user authentication occurs. Select a method by highlighting it in the Optional Methods list, and clicking on the right arrow to move it to the Selected Methods list.
3 For Secure HTTP and HTTP types of users, select one or all of the Optional Methods and click the right-arrow to move them to the Selected Methods. The options are: – Local — Authentication occurs locally. – None — No authentication method is used for access. – RADIUS — Authentication occurs at the RADIUS server. – TACACS+ — Authentication occurs at the TACACS+ server.
Table 7-26. Select Authentication CLI Commands (continued) CLI Command Description show authentication methods Displays information about the authentication methods.
Displaying Active Users Using CLI Commands The following table summarizes the CLI commands for viewing active users connected to the device. Table 7-27. Active Users CLI Commands CLI Command Description show users Displays information about active users. The following example shows an example of the CLI command: console> show users Username Protocol Location -------- -------- --------- Bob Serial John SSH 172.16.0.1 Robert HTTP 172.16.0.8 Betty Telnet 172.16.1.
– Access Level — Select a user access level. The lowest user access level is 1 and 15 is the highest user access level. Users with access level 15 are Privileged Users, and only they can access and use the switch administrator. – Password (8-64 characters) — Enter the password of the user. – Confirm Password — Confirm the password of the user. The following fields are displayed: • Expiry Date — The expiration date of the user-defined password.
The following is an example of the CLI commands: console(config)# username bob password lee privilege 15 console# set username bob active Line Password To add a line password for Console, Telnet, and Secure-Telnet users: 1 Click System > Management Security > Line Passwords in the tree view to display the Line Password page. 2 Enter the fields for each type of user, separately: – Password (0 - 80 Characters) — Enter the line password for accessing the device.
The following is an example of the CLI commands: console(config)# line console console(config-line)# password dell Enable Password To set a local password to control access to Normal and Privilege levels activities. 1 Click System > Management Security > Enable Password in the tree view to display the Enable Password page. 2 Enter the fields: – Select Enable Access Level — Select the access level to associate with the enable password.
Assigning Enable Passwords Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the Enable Password page. Table 7-30. Enable Password CLI Commands CLI Command Description enable password [level privilege-level] {unencrypted-password | encrypted encryptedpassword} Sets a local password to control access to user and privilege levels. Use the no form of this command to remove the password requirement.
After the password has expired, users can log in a few additional times. During the remaining logins, an additional warning message displays informing the user that the password must be changed. If the password is not changed, users are locked out of the system, and can only log in using the console. Password warnings are logged in the SYSLOG file. NOTE: Password aging is enabled only after setting the switch to use SNTP for setting time.
Password Management Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the Password Management page. Table 7-31. Password Management CLI Commands CLI Command Description passwords strength-check enable Enforces password strength checks. no passwords strength-check enable Use the no form of this command to disable enforcing password strength checks.
Table 7-31. Password Management CLI Commands (continued) CLI Command Description passwords history hold-time days Configures the duration that a password is relevant for tracking passwords history. no passwords history hold-time Use the no form of this command to return to the default configuration. passwords lockout number no passwords lockout Defines the number of times a faulty password is entered before the user is locked out of the device.
TACACS+ The device can act as a Terminal Access Controller Access Control System (TACACS+) client. TACACS+ provides centralized validation of users accessing the device, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services: • Authentication — Provides authentication during login and via user names and user-defined passwords. • Authorization — Performed at login after authentication.
NOTE: The Auto option, which is the default option for the Source IPv4 and Source IPv6 fields, causes the system to take the source IP address from the IP address defined on the outgoing interface. 3 To add a TACACS+ server, click Add, and enter the fields on the page. The fields below are those that were not described on the TACACS+: Summary page. – Supported IP Format — Select whether the IPv4 or IPv6 format is supported for the TACACS+ server IP address.
Defining TACACS+ Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the TACACS+ Settings pages. Table 7-33. TACACS+ CLI Commands CLI Command Description tacacs-server host {ip-address | Configures a TACACS+ host. hostname} [single-connection] Use the no form of this command to [port port-number] [timeout delete the specified TACACS+ host.
The following is an example of the CLI commands: console(config)# tacacs-server source-ip 172.16.8.1 console# show tacacs Device Configuration ----------------------------IP Address Status Port Single TimeOut Source IP Priority Connection ---------- -----1.1.1.11 Not ------ ---------- -------- ---------- -------- 49 No Global Global 10 49 No Global Global 19 49 No Global Global 18 49 No Global Global 17 Connected 1.1.1.21 Not Connected 1.1.1.31 Not Connected 1.1.1.
To add a RADIUS server: 1 Click System > Management Security > RADIUS in the tree view to display the RADIUS: Summary page. The RADIUS default parameters and previously-defined RADIUS servers are displayed. 2 Enter the default parameters to be used when these parameters are not entered for a specific server. – Default Retries (1-10) — The default number of transmitted requests sent to RADIUS server before a failure occurs.
– Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN 1— The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. – IP Address — Enter the RADIUS server IP address. – Priority (0-65535) — Enter the priority of the RADIUS server being added. 0 is the highest value. This is used to configure the order in which servers are queried.
– Key String (0-128 Characters) — The key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. Defining RADIUS Servers Using CLI Commands The following table summarizes the CLI commands for defining fields displayed on the RADIUS pages. Table 7-34.
Table 7-34. RADIUS Server CLI Commands (continued) CLI Command Description radius-server key [key-string] Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. no radius-server key Use the no form of this command to restore the default configuration. Displays the RADIUS server settings. show radius-servers The following is an example of CLI commands: console(config)# radius-server host 192.168.10.
SNMP This section describes the Simple Network Management Protocol (SNMP) for managing network devices. It contains the following topics: • SNMP Overview • Global Parameters • View Settings • Access Control • User Security Model • Communities • Notification Filter • Notification Recipients SNMP Overview The switch supports the SNMPv1, SNMPv2 and SNMPv3. SNMP v1 and v2 The SNMP agent maintains a list of variables that are used to manage the switch.
• Privacy — Protects against disclosure of message content. Cipher BlockChaining (CBC) is used for encryption. Either authentication alone can be enabled on an SNMP message, or both authentication and privacy can be enabled on an SNMP message. However privacy cannot be enabled without authentication. • Timeliness — Protects against message delay or message redundancy. The SNMP agent compares incoming message to the message time information. • Key Management — Defines key generation, updates, and use.
– Privacy — SNMP frames can carry encrypted data. These mechanisms can be combined to provide three levels of security: – No security – Authentication – Authentication and Privacy. Note that for both authentication and privacy to be enabled, two groups with the same name, one with authentication and one with privacy, must be created. A group is a label for a combination of attributes that determines whether members have read, write, and/or notify privileges. Users can be associated with a group.
To configure SNMP: 1 Click System > SNMP > Global Parameters in the tree view to display the Global Parameters page. The global parameters are displayed. 2 Enter the fields: – Local Engine ID (10-64 Hex Characters) — Check and enter the local device engine ID. The field value is a hexadecimal string. Each byte in hexadecimal character strings is two hexadecimal digits. Each byte can be separated by a period or a colon. The Engine ID must be defined before SNMPv3 is enabled.
– IP Address — Enter the IP address. – Engine ID— Enter the remote Engine ID. Setting SNMP Global Parameters Using CLI Commands The following table summarizes the CLI commands for setting fields in the Global Parameters page. Table 7-35. SNMP Global Parameters Commands CLI Command Description Specifies the local device engine ID. The field values is a hexadecimal string. Each no snmp-server engineID local byte in hexadecimal character strings is two hexadecimal digits.
Table 7-35. SNMP Global Parameters Commands (continued) CLI Command Description show snmp Checks the status of SNMP communications. The following is an example of the CLI commands: console(config)# snmp-server enable traps console(config)# snmp-server trap authentication console(config)# snmp-server engineid local default The engine-id must be unique within your administrative domain. Do you wish to continue? [Y/N]y The SNMPv3 database will be erased.
5 To complete the definition of the view, click Edit, and select a View Name to modify. Enter the fields: – New Object ID Subtree — Check to specify the device feature OID included or excluded in the selected SNMP view. Select from List — Select the device feature OID by using the Up and Down buttons to scroll through a list of all device OIDs. • Or: Insert — Specify the device feature OID. • – View Type — Specify if the defined OID branch will be included or excluded in the selected SNMP view.
The following is an example of CLI commands: console(config)# snmp-server view user1 1 included console(config)# end console# show snmp views Name OID Tree Type ------------ --------------- -------- user1 system included Default iso included Default snmpVacmMIB excluded Default usmUser excluded Default rndCommunityTab le excluded DefaultSuper iso included Access Control For ease of use, users may be assigned to groups.
– • Authentication — Authenticates SNMP messages, and ensures that the origin of the SNMP message is authenticated. • Privacy — Encrypts SNMP message. Operation — Select the group access rights. The possible options are: • Read — The management access is restricted to read-only, and changes cannot be made to the assigned SNMP view. If desired, select a view from the drop-down list. • Write — The management access is read-write and changes can be made to the assigned SNMP view.
The following is an example of the CLI commands: console (config)# snmp-server group user-group v3 priv read user-view console# show snmp groups Name Security Model ----- ------ Views Level ------- Read ------- Write Notify ------- -------- 1 V1 noauth - - - 2 V1 noauth - - - 3 V1 noauth - - - 4 V1 noauth - - - 5 V1 noauth - - - User Security Model An SNMP user is defined by the following: • Login credentials (username, password, and authentication method) • Contex
To create an SNMP V3 user, and assign it to a group and view: 1 Click System > SNMP > User Security Model in the tree view to display the User Security Model: Summary page. The currently-defined users and their groups are displayed. 2 To add a user, click Add, and enter the fields: – User Name (1-30 Characters) — Enter a new user name. – Engine ID — Specifies the local or remote SNMP entity, to which the user is connected. Changing or removing the local SNMP Engine ID deletes the SNMPv3 User Database.
Defining SNMPv3 Users Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the User Security Model pages. Table 7-38. SNMP Users CLI Commands CLI Command Description snmp-server user username groupname {v1 | v2c | [remote host] v3 [auth {md5 | sha} auth-password [priv privpassword]]} Configures a new SNMP V3 user. Use the no form of the command to remove a user.
2 To add a new community, click Add. 3 Define the SNMP management station by entering its IP address information: – Supported IP Format — Select whether the IPv4 or IPv6 format is being used. – IPv6 Address Type — When the community supports IPv6, this specifies the type of static address supported. The possible options are: – • Link Local — A Link Local address that is non-routable and used for communication on the same network only.
• – SNMP Admin — User has access to all device configuration options, as well as permissions to modify the community. View Name — Select a view from a list of user-defined SNMP views. The view determines other characteristics associated with the community. 5 To use Advanced mode, enter the fields: – Advanced — When SNMP Advanced mode is selected, you can select an SNMP group to specify the SNMP access control rules for the selected community. The SNMP Advanced mode is defined only with SNMPv3.
The following is an example of the CLI commands: console (config)# snmp-server community dell ro 10.1.1.1 Notification Filter Notification filters determine the type of SNMP notifications that are sent to the management station, based on the OID of the notification to be sent. Each OID is linked to a device feature or a feature aspect.
or: • – Object ID — Specify the device feature OID. Filter Type — Select whether the defined OID branch will be Included or Excluded in the selected SNMP view. Configuring Notification Filters Using CLI Commands The following table summarizes CLI commands for defining fields displayed in the Notification Filter pages. Table 7-40. SNMP Notification Filter CLI Commands CLI Command Description snmp-server filter filter-name oid- Creates or updates an SNMP tree {included | excluded} notification filter.
Trap receivers, also known as notification recipients, are network nodes to which trap messages are sent by the switch. A trap receiver entry contains the IP address of the node and the SNMP credentials corresponding to the version that will be included in the trap message. When an event arises that requires a trap message to be sent, it is sent to every node listed in the trap receiver list. Some messages are of an informational nature and are called "informs" instead of traps.
If SNMP versions 1 and 2 are enabled for the selected recipient, enter the fields: – Community String — The community string of the trap manager. – Notification Version — The message trap SNMP version (v1 or v2). If SNMPv3 is used to send and receive traps, enter the fields: – User Name — The user to whom SNMP notifications are sent. – Security Level — The means by which the packet is authenticated. The possible options are: • No Authentication — The packet is neither authenticated nor encrypted.
Configuring SNMP Notification Recipients Using CLI Commands The following table summarizes the CLI commands for setting fields in the Notification Recipients pages. Table 7-41.
File Management This section describes how to manage device firmware (image files) and configuration files. It contains the following topics: • File Management Overview • Auto-Update/Configuration Feature • File Download • File Upload • Active Images • Copy Files • File System File Management Overview This section describes the system files found in the system and how they can be updated (downloaded) and backed up (uploaded).
Update/Configuration Feature for more information about how to perform this automatically. • Image Files—Files with extension .ros. System file images are saved in two flash files called Image 1 and Image 2. The active image contains the active copy, while the other image contains a backup copy. The device boots and runs from the active image. If the active image is corrupted, the system automatically boots from the non-active image.
Auto-Update/Configuration also enables quick installation of new devices on the network, since an out-of-box device can be configured to retrieve its configuration file from the network, allowing instant access to it from the administrator's management station and up-to-date configuration on the device.
Preparations for Using Auto Configuration from a TFTP Server The Auto-Update/Configuration feature enables configuring the device from a configuration file found on the TFTP server. Two methods may be used: • One-file Read, described in Auto Configuration (One File Read Method). This method is used if a configuration file is found on the TFTP server. • Multi-file Read, described in Auto Configuration (Multi File Read Method).
Auto Configuration (Multi File Read Method) If the one-file method has failed and the TFTP Server IP address has been provided by the DHCP Server, the switch applies the multi-file method to download the configuration file. The following steps are performed by the switch: • • The switch gets the hostname, as described below. – If the hostname was provided by the DHCP server, this hostname is used.
Using DHCP and TFTP servers require the following preparations: • • TFTP Server – Create a sub directory in the main directory. Place a software image file in it. – Create an indirect file that contains a path and the name of the software version (for example indirect-VRTX.txt that contains VRTX\VRTX-version.ros). – Copy this file to the TFTP server’s main directory DHCP Server – Configure the DHCP server with option -20 or 66. This is the IP address of the TFTP server.
1 Click System > File Management > Auto Update of Configuration/Image File in the tree view to display the Auto Update of Configuration/Image File page. The auto-update-configuration options are displayed. 2 Modify the auto-update configuration parameters as required: – Configuration Auto-Config (boot host auto-config)— Enable/disable automatic download of the configuration parameters to the Running Configuration file. By default, this occurs only if the Startup Configuration file is empty.
Table 7-42. Auto Update of Configuration/Image File CLI Commands (continued) CLI Command Description boot host dhcp Forces the mechanism used to download a configuration file at the next system startup. no boot host dhcp Use the no form of this command to restore the host configuration file to the default. boot host auto-save no boot host auto-save Enables automatic saving of Running configuration in Startup configuration after download.
The following is an example of the CLI command to configure auto-update on the switch: console# configure console(config)# boot host auto-save console(config)# interface vlan 1 console(config-if)# ip address dhcp console(config-if)# 01-Oct-2006 15:19:51 %BOOTP_DHCP_CL-WDHCPIPCANDIDATE: The device is waiting for IP address verification on interface Vlan 1 , IP 10.5.225.47, mask 255.255.255.224, DHCP server 10.5.224.
To download when management computer uses HTTP 1 Click System > File Management > File Download in the tree view to display the File Download page. 2 For HTTP, enter the IP Format fields for the HTTP server IP address. – Supported IP Format — Select whether IPv4 or IPv6 format is supported. – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported.
• Boot Code — Downloads the Boot file. 6 If the Configuration Download option was selected, enter the following: – Source File Name (1-64 Characters) — Enter the source file name. – Destination File Name — Select the destination file to which the configuration file is downloaded. The possible options are: • Running Configuration — Check to download commands into the Running Configuration file. The current file is overwritten.
3 Select a Firmware/Configuration option. The possible options are: – Firmware Download — A firmware file is downloaded. – Configuration Download — A configuration file is downloaded. 4 Select Download via TFTP to download firmware or a configuration file via a TFTP server in Download Protocol. 5 If the Firmware Download option was selected, enter the following: – Server IP Address — The TFTP server IP address from which the configuration files are downloaded.
Downloading Files Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the File Download page. Table 7-43. File Download CLI Commands CLI Command Description copy source-url destinationurl Copies files from a source to a destination. The following is an example of the CLI command: console# copy tftp://10.6.6.64/pp.txt startup-config ....
• – Global — A globally unique IPv6 address; visible and reachable from different subnets. Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN1— The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. To upload a configuration file using HTTP: 3 Select Upload via HTTP to upload a configuration file.
– Destination File Name (1-64 Characters) — The configuration file name/path to which the file is uploaded. – Transfer File Name — The configuration file that is uploaded. The possible options are: • Running Configuration — Uploads the Running Configuration file. • Startup Configuration — Uploads the Startup Configuration file. 10 Click Activate to start the upload process.
To select the image file to be used after reset: 1 Click System > File Management > Active Images in the tree view to display the Active Images page. The following fields are displayed: – Active Image — The version of the image file that is currently active on the device. – After Reset — Select one of the possible versions of the image to be active after reset. 2 Click Apply to select the image file to be used after reset in After Reset.
• Copy a configuration file to the Running Configuration file. It is important to be aware that copying a file to the Running Configuration file actually executes these commands, so some of the configuration commands might fail (for example when trying to create a VLAN that is already defined on the system). • Restore configuration factory defaults. To copy files or restore factory defaults: 1 Click System > File Management > Copy Files in the tree view to display the Copy Files page.
Table 7-46. Copy Files CLI Commands (continued) CLI Command Description delete url Deletes a file from the FLASH memory device. The following is an example of the CLI commands: console# delete startup-config Delete startup-config [y/n]? y console# 01-Oct-2006 16:10:51 %FILE-I-DELETE: File Delete - file URL flash://startup-config console# copy running-config startup-config Overwrite file [startup-config] ?[Yes/press any key for no]....
– Modified — The date the file was last modified. – Permission — The permission type assigned to the file. 2 To rename a file, click its Rename button. Change the File Name. Managing Files Using CLI Commands The following table summarizes the CLI command for viewing system files. Table 7-47.
sFlow This section describes sFlow monitoring of traffic. NOTE: This feature is only supported on the R1-2210. It contains the following topics: • Overview • sFlow Receiver Settings • sFlow Interface Settings • sFlow Statistics Overview The sFlow feature enables collecting statistics using the sFlow sampling technology, based on sFlow V5. This sampling technology is embedded within switches and routers.
Workflow By default, flow and counter sampling are disabled. To enable sFlow sampling: 1 Set the IP address of a receiver (also known as a collector) for sFlow statistics. Use the sFlow Receivers Settings page for this. 2 Enable flow and/or counter sampling, direct the samples to a receiving interface, and configure the average sampling rate. Use the sFlow Interface Settings pages for this. 3 View and clear the sFlow statistics counters. Use the sFlow Statistics page for this.
– IP Address — Enter the receiver’s IP address. 4 Enter the fields: – UDP Port — Port to which SYSLOG message are sent. – Maximum Datagram Size (Bytes) — Maximum number of bytes that can be sent to the receiver in a single sample datagram (frame). Adding an sFlow Receiver Using the CLI Commands The following table summarizes the CLI commands for adding an sFlow receiver. Table 7-48.
The following is an example of the CLI commands: console(config)# sflow receiver 2 1.1.1.1 port 6343 console# show sflow configuration Receivers Index IP Address Port Max Datagram Size ----- -------------------- -------- ---------------1 0.0.0.0 6343 1400 2 172.16.1.2 6343 1400 3 0.0.0.0 6343 1400 4 0.0.0.0 6343 1400 5 0.0.0.0 6343 1400 6 0.0.0.0 6343 1400 7 0.0.0.0 6343 1400 8 0.0.0.
– Flow Sampling — Enable/disable flow sampling. Flow sampling cannot be disabled if Counters Sampling is disabled. – Flow Sampling Average Sampling Rate(1024–1073741823) — If x is entered, a flow sample will be taken for each x frames. – Flow Sampling Receiver Index — Select one of the indices that was defined in the sFlow Receivers Settings pages. – Flow Sampling Maximum Header Size (20–256) — Maximum number of bytes that should be copied from a sampled packet.
The following is an example of the CLI commands: console(config)# interface te1/1 console(config-if)#sflow flow-sampling 1024 1 sFlow Statistics To view sFlow statistics: 1 Click System > sFlow > sFlow Statistics in the tree view to display the sFlow Statistics page. The following sflow statistics per interface are displayed: – Interface — Port for which sample was collected. – Packets Sampled — Number of packets sampled. – Datagrams Sent to Receiver — Number of sFlow sampling packets sent.
Guide\Plasma_UGSystemConfig.
Configuring System Information
8 IP Addressing This section describes how to configure IP addressing on the switch. It contains the following topics: • Overview • IPv4 Addressing • IPv6 Addressing Overview The device functions as an IPv6-compliant host, as well as an IPv4-host (also known as dual stack). This enables device operation in a pure-IPv6 network, as well as in a combined IPv4/IPv6 network. Difference Between IPv4 and IPv6 Addressing The primary difference between IPv4 to IPv6 is the length of network addresses.
An intermediary transition mechanism is required for IPv6-only nodes to communicate with IPv6 nodes over an IPv4 infrastructure. The tunneling mechanism implemented is the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). This protocol treats the IPv4 network as a virtual IPv6 local-link, with each IPv4 address mapped to a Link Local IPv6 address.
Dynamic Assignment Dynamic assignment of an IPv4 address can be configured in the IPv4 Interface page. It can also be performed using CMC management by requesting dynamic assignment of an IP address from the CMC management. NOTE: When a static address is removed from the OOB port, the DHCP client is enabled on this port. The user cannot delete IP DHCP configuration from the OOB port without defining a new static address.
If multiple default gateways are assigned, only one active default gateway is used. The active default gateway is selected according to the following criteria: • A static default gateway is preferred (not a dynamic default gateway). • If multiple static default gateways are assigned, the static default gateway on the OOB interface is selected. • If multiple dynamic default gateways are assigned, the DHCP default gateway assigned on the OOB interface is selected.
The following is a sample script to define IPv4 global parameters using CLI: Table 8-2. Sample CLI Script to Enable IPv4 Routing CLI Command Description console(config)#ip routing Enables IPv4 routing. IPv4 Interface You can assign IPv4 addresses to an interface in the following ways: • Static Assignment • DHCP Assignment When the interface is configured as a DHCP client, it requests an IP address from the DHCP server, until it receives an answer.
1 Click System > IPv4 Addressing > IPv4 Interface in the tree view to display the IPv4 Interface: Summary page. The previously-assigned IP addresses are displayed along with the following field: – Type—Displays the type of IPv4 interface: • Static—Defined manually. • DHCP—Received from DHCP server. 2 To change the interface IP address, click Edit, and enter the fields: – Interface — Select the interface on which IPv4 routing is enabled.
Table 8-3. IPv4 Interface Parameters CLI Commands (continued) CLI Command Description show ip interface [interfaceid] Displays the usability status of interfaces configured for IP. ip address dhcp Acquires an IP address from a DHCP server). no ip address dhcp Use the no form of this command to release an acquired IP address. The following are sample procedures to configure a static IPv4 address on an interface using CLI and then to remove it: Table 8-4.
Table 8-5. Sample CLI Script to Configure IPv4 Statically on a Port CLI Command Description console(config-if)# ip address 10.5.225.40 /27 Configure an IP address with prefix length of 27. console(config-if)# ip defaultgateway 10.5.225.33 Set the address of the default gateway console(config-if)# no ip address Remove the address (if required). Table 8-6. Sample CLI Script to Configure IPv4 Dynamically on a VLAN CLI Command Description console#config Enter Global Configuration mode.
Table 8-7. Sample CLI Script to Configure IPv4 Dynamically on a Port CLI Command Description console(config-if)# no ip address dhcp Remove the address (if required). IPv4 Routes Table (Advanced Mode) NOTE: This feature is only applicable for Layer 2 + Static Routing mode for all devices. IPv4 static routes can be configured for IP addresses that are not on directly connected networks. These are defined in the IPv4 Routing Table pages.
– – – Route Type — The possible options are: • Reject — Rejects the route and stops routing to the destination network via all gateways. This ensures that if a frame arrives with the destination IP of this route, it is dropped. • Remote — The route is a remote path. Route Owner — Displays one of the following: • Connected— Directly-connected route. • Static — Manually-added route. • DHCP — DHCP-supplied route. Metric (1-255) — Cost of the destination.
2 Click Add and enter the required fields (that are described above). Adding an Entry to the IPv4 Routing Table Using CLI Commands The following table summarizes the CLI commands for adding an entry to the IPv4 Routing table. Table 8-8. IPv4 Static Routing CLI Commands for R1-2210 and R1-2401 in Layer 2 + Static Routing Mode CLI Command Description ip route prefix {mask|prefixlength} ip-address-next-hop [metric distance] [reject-route] Configures static routes.
Table 8-9. IPv4 Static Routing CLI Commands for R1-2401 in Layer 2 CLI Command Description renew dhcp interface-id [forceautoconfig] Configures acquiring an IP address for an Ethernet interface from the DHCP server. Use the no form of this command to return to entering the IP address manually. ip default-gateway ip-address Defines a default gateway. no ip default-gateway Use the no form of this command to restore the default gateway. show ip interface Displays the current IPv4 interfaces.
Configuring Two IP Networks on Two Different VLANS Using CLI The following shows how to configure two IP networks on two different VLANS using CLI: Table 8-10. Sample CLI Script to Configure Two IP Networks on Two Different VLANSs CLI Command Description console#config Enter Global Configuration mode. console(config)# vlan database Enter VLAN mode. console(config-vlan)# vlan 100-150 Create VLANs number 100 to 150. console(config-vlan)# exit Exit VLAN mode.
Figure 8-1. IP Routing Setup Switch VLAN 100 PC 1.1.1.1 VLAN 150 PC 2.1.1.1 IPv4 Default Metric for Default Routes for Layer 2 + Static Routing An IPv4 default route can be assigned on in-band interfaces statically or by a DHCP server. The following behavior is supported: • The default metric for static assignment is 1 • The default metric for DHCP assignment is 253 The maximum metric value is 255. NOTE: The same metric values are used for an IP default gateway on an OOB interface.
To configure ARP and add an IP/MAC address mapping: 1 Click System > IPv4 Addressing > ARP in the tree view to display the ARP: Summary page. The entries in the table are displayed. 2 Enter the parameters: • ARP Entry Age Out (1 - 40000000) — Enter the amount of time in seconds that can pass between ARP requests for this address. After this period, the entry is deleted from the table. • Clear ARP Table Entries — Select the type of ARP entries that are cleared on all devices.
Configuring ARP Using the CLI Commands The following table summarizes the CLI commands for setting fields displayed in the ARP pages. Table 8-11. ARP CLI Commands CLI Command Description arp ip_addr mac_addr [interface-id] Adds a permanent entry in the ARP cache. no arp ip-address Removes an ARP entry from the ARP Table. arp timeout seconds Configures how long an entry remains in the ARP cache.
The following is an example of the CLI commands: console(config)# arp 198.133.219.232 00-00-0c-40-0f-bc console(config)# arp timeout 12000 console(config)# exit console# show arp ARP timeout: 12000 Seconds Interface IP Address HW Address Status --------- ---------- ---------- ------ gi0/11 10.7.1.102 00:10:B5:04:DB: 4B dynamic gi0/12 10.7.1.135 00:50:22:00:2A: A4 static UDP Relay Switches do not typically route IP Broadcast packets between IP subnets.
• NetBIOS Name Server (port 137) • NetBIOS Datagram Server (port 138) • TACACS Server (port 49) • Time Service (port 37) If Default Services are not selected, check the text box and enter a UDP port. – Destination IP Address — Enter the IP address that receives the UDP packet relays. If this field is 0.0.0.0, UDP packets are discarded. If this field is 255.255.255.255, UDP packets are flooded to all IP interfaces.
IPv6 Addressing This section describes the following sections: • IPv6 Global Parameters • IPv6 Interface • IPv6 Routes Table • IPv6 Default Gateway • ISATAP Tunnel • IPv6 Neighbors • IPv6 Router IPv6 Global Parameters To define IPv6 global parameters: Click System > IPv6 Addressing > IPv6 Global Parameters. Enter values for the following fields: • IPv6 Routing (for R1-2210)—Select to enable IPv6 routing.
• IPv6 Hop Limit (for R1-2210)—Enter the maximum number of intermediate routers on its way to the final destination to which a packet can pass. Each time a packet is forwarded to another router, the hop limit is reduced. When the hop limit becomes zero, the packet is discarded. This prevents packets from being transferred endlessly. • IPv6 Link Local Default Zone Interface (for R1-2210)— Select an interface to egress a link local packet without a specified interface or with the default zone 0.
The following is a sample script to define IPv6 global parameters using CLI: Table 8-14. Sample CLI Script to Set IPv6 Global Parameters CLI Command Description console (config) ip routing Enables IPv6 routing. console(config)#ipv6 hop-limit 15 Configures the maximum number of hops used in all IPv6 packets that are originated by the router to 15. console(config)#ipv6 icmp errorinterval 50 20 Configures the interval and bucket size for IPv6 ICMP error messages to 50 and 20, respectively.
– DAD Status —New addresses remain in a Tentative status while duplicate address detection is performed. After it is performed successfully, the DAD status is Active. 2 Enter the following fields to modify these parameters on a currentlydefined IPv6 interface: – Interface — Select a non-tunnel IPv6 interface to be configured. – Removed —Select to disable IPv6 support on this interface.
– Stateless—Select to enable the interface to receive configuration information from a DHCP server. – Minimum Information Refresh Time (600-4294967294) —This value is used to put a floor on the refresh time value. If the server sends a refresh time option that is less than this value, this value is used instead. Select either Infinite (no refresh unless the server sends this option) or User Defined to set a value.
– Prefix Length — For global Unicast or Anycast, enter the length of the IPv6 prefix. The length is a decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). The Prefix field is applicable only on a static IPv6 address defined as a Global IPv6 address. – EUI-64 — For global Unicast or Anycast, check to use the EUI-64 option.
Table 8-15. IPv6 Interfaces CLI Commands (continued) CLI Command Description ipv6 address ipv6Configures an IPv6 address for an address/prefix-length [eui-64] interface. [anycast] Use the no form of this command to no ipv6 address [ipv6remove the address from the interface. address/prefix-length] [linklocal] [eui-64] ipv6 address [ipv6-address link-local] Configures an IPv6 link-local address for an interface.
The following is a sample script to configure IPv6 using CLI: Table 8-16. Sample CLI Script to Configure IPv6 on a Port CLI Command Description console#config Enter Global Configuration mode. console(config)# interface vlan 1 Enter VLAN mode for VLAN 1. console(config-if)# ipv6 enable Enable IPv6 (dynamic). console(config-if)# ipv6 address 5::1/64 Set the IPv6 address (static) console(config-if)# ipv6 redirect Enables the sending of IPv6 ICMP redirect messages.
– Prefix Length — The length of the IPv6 prefix. This field is applicable only when the destination address is defined as a global IPv6 address. – Interface — The interface that is used to forward the packet. Interface refers to any Port, LAG or VLAN. – Next Hop — The address to which the packet is forwarded on the route to the Destination address (typically the address of a neighboring router). This can be either a Link Local or Global IPv6 address.
The following is an example of the CLI commands: console> show ipv6 route Codes: L - Local, S - Static, I - ICMP, ND - Router Advertisement The number in the brackets is the metric.
To configure a router: 1 Click System > IPv6 Addressing > IPv6 Default Gateway in the tree view to display the IPv6 Default Gateway: Summary page. The previously-defined routers are displayed with the following fields: – Default Gateway IPv6 Address — The router’s address. – Interface — The interface on which the router is accessed. – Type — The means by which the default gateway was configured. The possible options are: – • Static — The default gateway is user-defined.
– Metric — (for R1-2210)Cost of this hop. 2 To add an IPv6 default gateway, click Add, and enter the fields: – IPv6 Address Type — Displays that the IP address was added to the interface through a link local address. – Link Local Interface — Displays the outgoing interface through which the default gateway can be reached. – Default Gateway IPv6 Address — Enter the Link Local IPv6 address of the default gateway. – Metric (For R1-2210)— Enter the cost of this hop.
The following are examples of these CLI command: console(config)# ipv6 default-gateway fe80::abcd console(config-if)# do show ipv6 route Codes: L - Local, S - Static, I - ICMP, ND - Router Advertisement The number in the brackets is the metric.
When defining tunneling, note the following: • An IPv6 Link Local address is assigned to the ISATAP interface. The initial IP address is assigned to the interface, and the interface state becomes Active. • If an ISATAP interface is active, the ISATAP router IPv4 address is resolved via DNS by using ISATAP-to-IPv4 mapping. If the ISATAP DNS record is not resolved, the ISATAP host name-to-address mapping is searched in the host name cache.
Defining ISATAP Tunnel Parameters Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the ISATAP Tunnel pages. Table 8-19. ISATAP Tunnel CLI Commands CLI Command Description interface tunnel number Enters tunnel interface configuration mode. tunnel mode ipv6ip {isatap} Configures an IPv6 transition mechanism global support mode. no tunnel mode ipv6ip Use the no form of this command to remove an IPv6 transition mechanism.
The following is an example of a CLI script to create a tunnel: Table 8-20. ISATAP Tunnel CLI Script CLI Command Description console#config Enter Global Configuration mode. console(config)# interface vlan 1 Enter Interface mode for VLAN 1. console(config-if)# ip address 10.5.225.40 /27 Configure an IP address with prefix length of 27. console(config-if)# ip default-gateway Set the address of the default 10.5.225.33 gateway and exit Interface mode.
To add an IPv6 neighbor: 1 Click System > IPv6 Addressing > IPv6 Neighbors in the tree view to display the IPv6 Neighbors: Summary page. The following fields are displayed for previously-defined neighbors: – Interface—Interface connected to the neighbor. – IPv6 Address—IPv6 address of the neighbor. – MAC Address—MAC address of the neighbor. – Type—Neighbor discovery cache information entry type (static or dynamic).
3 To add a new IPv6 neighbor, click Add, and enter the fields: – IPv6 Interface — Displays the interface on which the IPv6 address is defined. – IPv6 Address — Enter the neighbor IPv6 address. – MAC Address — Enter the MAC address assigned to the interface. 4 To modify or remove an IPv6 neighbor, click Edit, and enter the fields described on the Add page.
The following is an example of the CLI commands: console# config console(config)# ipv6 neighbor 3000::a31b vlan 1 001b.3f9c.84ea console# show ipv6 neighbors dynamic Interface IPv6 Address HW Address State Router --------- ------------ ---------- ----- ----- VLAN 1 3000::a31b 0001b.3f9c.84ea Reachable Yes IPv6 Router NOTE: This feature is supported in R1-2210 only. This section describe how to configure the device as an IPv6 router.
Associating a preference with a router is useful when, for example, two routers on a link provide equivalent, but not equal-cost, routing, and policy may dictate that hosts should prefer one of the routers. – Include Advertisement Interval Option—Select to indicate that an advertisement option will be used by the system. This option indicates to a visiting mobile node the interval at which that node may expect to receive router advertisements.
– Minimum Router Advertisement Interval(3-1350)—Enter the minimum amount of time that can pass between router advertisements (User Defined) or select Use Default to user the system default. – The minimum RA interval may never be more than 75% of the maximum RA interval and never less than 3 seconds. – Router Advertisement Lifetime(0-65535)—Enter the remaining length of time, in seconds, that this router will continue to be useful as a default router.
Table 8-22. Router Advertisements CLI Commands (continued) CLI Command Description ipv6 nd managed-config-flag Sets the “managed address configuration flag” in IPv6 router advertisements. no ipv6 nd managed-config-flag Use the no form to clear the flag. ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval Configures the interval between IPv6 neighbor solicitation retransmissions on an interface. Use the no form of this command to return to the default value.
Table 8-22. Router Advertisements CLI Commands (continued) CLI Command Description ipv6 nd router-preference {high | medium | low} Configures a default router preference (DRP) for the router on a specific interface. no ipv6 nd router-preference Use the no form to return the default value.
• Prefix Address—The IPv6 network. This argument must be in the form documented in RFC 4293 where the address is specified in hexadecimal—using 16-bit values between colons. • Prefix-Length—The length of the IPv6 prefix. A decimal value • Prefix Advertisement—Select to advertise this prefix. • Valid Lifetime(1 - 4294967295)—Remaining length of time, in seconds, that this prefix will continue to be valid, i.e., time until invalidation.
• No Onlink—Configures the specified prefix as not onlink. A no • Offlink—Configures the specified prefix as offlink. The prefix will be advertised with the L-bit clear. The prefix will not be inserted into the routing table as a connected prefix. If the prefix is already present in the routing table as a connected prefix (for example, because the prefix was also configured by adding an IPv6 address), it will be removed.
IP Addressing
9 Network Security This section describes the various mechanisms for providing security on the switch. It contains the following topics: • Port Security • ACLs • ACL Binding • Proprietary Protocol Filtering • Time Range • Dot1x Authentication Port Security Network security can be enhanced by limiting access on a port to users with specific MAC addresses. The MAC addresses can be dynamically learned, or they can be statically configured.
– Discarded with a trap – The port is shutdown Locked port security enables storing a list of MAC addresses in the configuration file. The MAC addresses are restored when the device is reset. Disabled ports can be activated from the Port Configuration page. To configure port security: 1 Click Switching > Network Security > Port Security to display the Port Security: Summary page. Security parameters are displayed for all ports or LAGs, depending on the selected interface type.
• Forward — Forward the packets from an unknown source, without learning the MAC address. • Shutdown — Discard the packet from any unlearned source, and shut down the port. Ports remain shutdown until they are reactivated, or the device is reset. – Trap — Enable/disable traps being sent when a packet is received on a locked port. – Trap Frequency (1-1000000) — Enter the amount of time (in seconds) between traps.
Table 9-1. Port Security CLI Commands (continued) CLI Command Description port security Configures port security on an [forward|discard|discard-shutdown] interface. [trap seconds] Use the no form of this command no port security to disable port security. show ports security [interface-id | detailed]] Displays lock status of specified interface or of all interfaces.
ACL Overview Access Control Lists (ACLs) enable network managers to define classification actions and rules for specific ingress or egress ports. Packets entering an ingress or egress port, with an active ACL, are either admitted or denied entry. If entry is denied, the ingress or egress port may be disabled, for example, a network administrator defines an ACL rule that states that port number 20 can receive TCP packets, however, if a UDP packet is received, the packet is dropped.
Configuring MAC-Based ACLs Using CLI Commands The following table summarizes the CLI commands for configuring MAC-based ACLs. Table 9-2. MAC Based ACL CLI Commands CLI Command Description Defines an ACL and places the device in MAC-extended ACL configuration no mac access-list extended acl- mode. name Use the no form of this command to remove the ACL. mac access-list extended aclname show interfaces access-lists [interface-id] Displays access lists applied on interfaces.
ignored. A wildcard of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used. – Any — Check to indicate that the source address is not matched. – Dest. MAC Address — Match the destination MAC address to which packets are addressed to this address.
Configuring MAC-Based ACEs Using CLI Commands The following table summarizes the CLI commands for configuring MACbased ACEs. Table 9-3. MAC Based ACE CLI Commands CLI Command Description permit {any | source sourcewildcard} {any |destination destination-wildcard} [eth-type 0 | aarp | amber|dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name] Sets permit conditions for an MAC access list (in MAC ACL configuration mode).
Configuring IP-based ACLs Using CLI Commands The following table summarizes the CLI commands for configuring IP-based ACLs. Table 9-4. IP-Based ACL CLI Commands CLI Command Description Defines an IPv4 access list and places the device in IPv4 access list no ip access-list extended acl- configuration mode name Use the no form of this command to remove the access list.
• IPinIP — IP in IP. Encapsulates IP packets to create tunnels between two routers. This ensures that the IPIP tunnel appears as a single interface, rather than several separate interfaces. IPIP enables tunnel intranets occur the internet, and provides an alternative to source routing. • TCP — Transmission Control Protocol (TCP). Enables two hosts to communicate and exchange data streams.
• OSPF — The Open Shortest Path First (OSPF) protocol is a link-state, hierarchical interior gateway protocol (IGP) for network routing Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs). • IPIP — IP over IP (IPinIP). Encapsulates IP packets to create tunnels between two routers. This ensures that the IPIP tunnel appears as a single interface, rather than several separate interfaces.
– Dest. IP Address — Enter the destination IP address to which addresses in the packet are compared. • Wildcard Mask —In addition to the Destination MAC address, you can enter a mask that specifies which bits in the source address are used for matching and which bits are ignored. A wildcard of 0.0.0.0 means the bits must be matched exactly in addition to the IP destination address; ff.ff.ff.ff means the bits are irrelevant. Any combination of 0s and ffs can be used.
• Match IP Precedence(0-7) — Check to enable matching IP-precedence with the packet IP-precedence value. IPprecedence enables marking frames that exceed the CIR threshold. In a congested network, frames containing a higher DP value are discarded before frames with a lower DP value. If this field is checked, enter a value to be matched. – Time Range Name — Check to associate a time range with the ACE. Select one of the time ranges defined in the Time Range page.
Configuring IP-based ACEs Using CLI Commands The following table summarizes the CLI commands for configuring IP-based ACLs. Table 9-5. IP-Based ACE CLI Commands CLI Command Description permit protocol {any |source sourcewildcard} {any |destination destinationwildcard} [dscp number | precedence number] [time-range time-range-name] Sets conditions to allow a packet to pass a named IP access list (in access list configuration mode).
Table 9-5. IP-Based ACE CLI Commands (continued) CLI Command Description deny protocol {any |source sourcewildcard} {any |destination destinationwildcard} [dscp number | precedence number] [time-range time-range-name] Sets deny conditions for IPv4 access list (in access list configuration mode).
The following is an example of some of the CLI commands: console(config)# ip access-list extended server console(config-ip-al)# permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.0 IPv6-Based ACLs The IPv6 Based ACL Page displays and enables the creation of IPv6 ACLs, which check pure IPv6-based traffic. IPv6 ACLs do not check IPv6-over-IPv4 or ARP packets. To define IPv6-based ACLs: 1 Click Switching > Network Security > IPv6 Based ACL to display the IPv6 Based ACL: Summary page.
IPv6-Based ACEs To add a rule to an IPv6-based ACL: 1 Click Switching > Network Security > IPv6 Based ACE to display the IPv6 ACE: Summary page. The currently-defined rules for the selected ACL are displayed. 2 To add a rule click Add ACE. 3 Select a user-defined ACL for which a rule is being created. 4 Enter the following fields: – New Rule Priority — Enter the ACE priority that determines which ACE is matched to a packet, based on a first match.
– – – – – – 244 ICMP — Specifies an ICMP message type for filtering ICMP packets. This field is available only when ICMP is selected in the Protocol field. The following options are available: • Select from List — Select an ICMP type from the list. • ICMP Type — Enter the ICMP type. • Any — Check to use all ICMP types. ICMP Code — Specifies an ICMP message code for filtering ICMP packets that are filtered by ICMP message type or ICMP message code.
– – Action — The ACL forwarding action. The following options are available: • Permit — Forwards packets that meet the ACL criteria. • Deny — Drops packets that meet the ACL criteria. • Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed. Logging of Dropped Packets — Check to activate logging of dropped packets. Configuring IP-based ACEs Using CLI Commands The following table summarizes the CLI commands for configuring IP-based ACLs.
Table 9-7. IP-Based ACE CLI Commands (continued) CLI Command Description deny protocol {any |{source-prefix/length} {any | destination-prefix/length} [dscp number | precedence number] [time-range time-range-name] [disable-port | loginput] Sets deny conditions for IPv6 access list (in Access List Configuration mode).
The following is an example of some of the CLI commands: console(config)# ipv6 access-list server console(config-ipv6-al)# permit tcp 3001::2/64 any any 80 ACL Binding When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL, are matched to the default rule, which is to Drop unmatched packets.
Configuring ACL Bindings Using CLI Commands The following table summarizes the CLI commands for configuring ACL Bindings. . Table 9-8. ACL Bindings CLI Commands CLI Command Description service-acl input acl-name1 [acl-name2] default-action [deny-any | permit-any] Controls access to an interface Use the no form of the command to remove access control. no service-acl input show access-lists [acl-name] Displays access control lists (ACLs) configured on the switch.
4 Move the required protocols from the Available Protocols list to the Filtered Protocols list. The following displays the protocols and the addresses that are blocked: Table 9-9. Protocol Filtering Protocol Destination Address Protocol Type blockcdp 0100.0ccc.cccc 0x2000 blockvtp 0100.0ccc.cccc 0x2003 blockdtp 0100.0ccc.cccc 0x2004 blockudld 0100.0ccc.cccc 0x0111 blockpagp 0100.0ccc.cccc 0x0104 blocksstp 0100.0ccc.cccd - blockall 0100.0ccc.ccc0 - 0100.0ccc.
The following is an example of some of the CLI commands: console (Config-if)# service-acl input blockcdp blockvtp Time Range Time ranges can be defined and associated with commands, such as QoS ACL, so that it is applied only during that time range. There are two types of time ranges: • Absolute —This type of time range begins on a specific date or immediately and ends on a specific date or extends infinitely. It is created in the Time Range pages. A recurring element can be added to it.
3 Enter the name of the time range in the Time Range Name field. 4 Define the Absolute Start time. – To begin the Time Range immediately, click Immediate. – To determine at what time in the future the Time Range will begin, enter values in the Date and Time fields. 5 Define the Absolute End time. – To indicate that the Time Range should not end, click Infinite. – To determine the time at which the Time Range ends, enter values in the Date and Time fields.
Configuring Time Ranges Using CLI Commands The following table summarizes the CLI commands for configuring time ranges. Table 9-11. Time Range CLI Commands CLI Command Description time-range time-range-name Enables time-range configuration mode, and defines time ranges for functions (such as access lists). no time-range time-range-name Use the no form of this command to remove the time range configuration. absolute start hh:mm day month year Adds start and end times to the time range.
The following is an example of some of the CLI commands: console (config)# time-range http-allowed console (config-time-range)# absolute start 12:00 1 jan 2005 end 12:00 31 dec 2005 console (config-time-range)# periodic monday 8:00 to friday 20:00 Dot1x Authentication This section describes Dot1x authentication.
Port-based authentication creates two access states: • Controlled Access — Permits communication between the supplicant and the system, if the supplicant is authorized. • Uncontrolled Access — Permits uncontrolled communication, regardless of the port authorization state. The device supports Port Based Authentication via RADIUS servers. Dot1x Overview Dot1x is an IEEE standard for port-based network access control.
• Multi-Session Dot1x—Every device (supplicant) connecting to a port must be authenticated and authorized by the switch (authenticator), separately in a different Dot1x session. This is the only mode that supports Dynamic VLAN Assignment (DVA). Dynamic VLAN Assignment (DVA) Dynamic VLAN Assignment (DVA) is also referred to as RADIUS VLAN Assignment in this guide.
• MAC-based — The switch can be configured to use this method to authenticate and authorize devices that do not support Dot1x. The switch emulates the supplicant role on behalf of the non-Dot1x-capable devices, and uses the MAC address of the devices as the username and password, when communicating with the RADIUS servers. MAC addresses for username and password must be entered in lower case and with no delimiting characters (for example: aaccbb55ccff).
• It is automatically available only to unauthorized devices, or to ports of devices that are connected and Guest VLAN enabled. • If a port is Guest-VLAN-enabled, the switch automatically adds the port as an untagged member of the Guest VLAN when the port is not authorized, and removes the port from the Guest VLAN when the first supplicant of the port is authorized. • The Guest VLAN cannot be used as both the Voice VLAN and an unauthenticated VLAN.
– Guest VLAN — Enable/disable the use of a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field. If a port is later authorized, it is removed from the Guest VLAN. – VLAN List — Select the Guest VLAN from the VLAN list.
The following is an example of the CLI commands: console(config)# aaa authentication dot1x default none console(config)# interface vlan 5 console# show dot1x 802.
• Unauthorized — Denies the selected interface system access by moving the interface into unauthorized state. The device cannot provide authentication services to the client through the interface. – Current Interface Control — Displays the current port authorization state. – Authentication Type — Select the type of authentication on the port. The possible options are: • 802.1x Only — 802.1X authentication is the only authentication method performed on the port.
• Authenticated ports remain unauthenticated VLAN and Guest VLAN members. Static VLAN configuration is not applied to the port. • The following list of VLANs cannot participate in DVA: an Unauthenticated VLAN, a Dynamic VLAN that was created by GVRP, a Voice VLAN, a Default VLAN and a Guest VLAN. • Delete the supplicant VLAN while the supplicant is logged in.
– Max EAP Requests (1-10) — Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted. Enabling Port-Based Authentication on Interfaces Using the CLI Commands The following table summarizes the CLI commands for enabling the port based authentication as displayed in the Port Based Authentication Global page. Table 9-13.
Table 9-13. Port-Based Authentication Interface CLI Commands (continued) CLI Command Description dot1x re-authentication Enables periodic re-authentication of the client. no dot1x re-authentication Use the no form of this command to return to the default setting. dot1x timeout re-auth-period seconds Sets the number of seconds between reauthentication attempts. no dot1x timeout reauthperiod Use the no form of this command to restore the default configuration.
Table 9-13. Port-Based Authentication Interface CLI Commands (continued) CLI Command Description show dot1x advanced [interface interface-id | detailed] Displays 802.1X advanced features for the switch or specified interface. show dot1x users [username username] Displays 802.1X users for the device. dot1x guest-vlan enable Enables using a guest VLAN for unauthorized ports. no dot1x guest-vlan enable Use the no form of this command to restore the default configuration.
Host Authentication Use the Host Authentication page to define the authentication mode on the port, and the action to perform if a violation is detected. To view ports and their authentication information: 1 Click Switching > Network Security > Dot1 Authentication > Host Authentication to display the Host Authentication: Summary page. A list of the ports and their authentication modes is displayed.
– • Multiple Host — Multiple hosts can be attached to a single 802.1x-enabled port. Only the first host must be authorized, and then the port is wide-open for all who want to access the network. If the host authentication fails, or an EAPOL-logoff message is received, all attached clients are denied access to the network. • Multiple Session — A number of specific authorized hosts may access the port. Each host is treated as if it was the first and only user and must be authenticated.
Table 9-14. Host Authentication CLI Commands (continued) CLI Command Description dot1x traps macauthentication success Enables sending traps when MAC address was failed in authentication of the 802.1X MAC authentication access control. no dot1x traps macauthentication success dot1x violation-mode {restrict | protect | shutdown} no dot1x violation-mode Use the no form of this command to disable the traps.
– Session Time — Amount of time (in seconds) that the supplicant was logged on the port. – Authentication Method — Method by which the last session was authenticated. The options are: • None—No authentication is applied; it is automatically authorized. • RADIUS—Supplicant was authenticated by a RADIUS server. • MAC Address—Displays the supplicant MAC address. – MAC Address — MAC address of user who attempted to be authenticated. – VLAN — VLAN assigned to the user.
The following is an example of the CLI commands: console# show dot1x users Port User Session Auth MAC Name Time Method Address ------ ----- ----------- -------- -------------gi0/1 Bob Port 1d 03:08:58 Remote 0008.3b79.8787 User Session Auth MAC Name Time Method Address ------ ----- ----------- -------- -------------- VLAN Filter ---- -----3 VLAN Filter ---- ------ gi0/1 Bob 1d 09:07:38 Remote 0008.3b79.8787 3 gi0/1 Tim 03:08:58 Remote 0008.3b79.
Network Security
Ports 10 This section describes how to configure port functionality.
The device supports 802.3x flow control for ports configured to Full Duplex mode. By default, this feature is enabled on all ports, and it can be disabled per port. The device supports back pressure for ports configured to Half Duplex mode. By default, this feature is disabled, and it can be enabled per port. The back-pressure mechanism prevents the sender from transmitting additional traffic temporarily. The receiver may occupy a link so it becomes unavailable for additional traffic.
irrelevant. The standard wiring for end stations is known as MDI (Media Dependent Interface), and the standard wiring for hubs and switches is known as MDIX. Flow Control The device supports 802.3x flow control for ports configured to Full Duplex mode. By default, this feature is enabled on all ports, and it can be disabled per port. Flow control creates a lossless link with no packet loss.
Table 10-1. Port Default Settings (continued) Function Default Setting Port tagging No tagging Flow Control On Back Pressure Off Jumbo Frames Jumbo frames are frames of up to 10 Kb in size. If Jumbo frames are not enabled, the system supports a packet size of up to 1,632 bytes. To enable jumbo frames: 1 Click Switching > Ports > Jumbo Frames in the tree view to display the Jumbo Frames page. The current jumbo frames setting is displayed.
Green Ethernet Configuration Green Ethernet is a name of a set of features that are designed to reduce the power consumption of a device, and so make it environmentally friendly. The Green Ethernet feature reduces overall power usage in the following ways: • Energy Efficient Ethernet — When using EEE, systems on both sides of the link can disable portions of their functionality and save power during periods of low link utilization.
• Link Short-Reach Energy Saving Mode — Globally enable/disable Short Reach mode. • Energy Detect Mode — Globally enable/disable the Energy Detect mode. • Current Power Consumption — Displays the current power consumption. • Power Savings — Displays the percentage of power saved by running in Green Ethernet mode. 4 Click LLDP Interface Details. 5 The following is displayed for each port on the device: – Port — Port number. • Energy Efficient Ethernet.
Table 10-3. Green Ethernet CLI Commands (continued) CLI Command Description green-ethernet short-reach force Forces short-reach mode on an interface. no green-ethernet short-reach force Use the no form of this command to return to the default. green-ethernet short-reach threshold cable-length Set the maximum cable length for applying short-reach mode. no green-ethernet short-reach threshold Use the no form of this command to return to the default.
The following types of ports can be defined: • Protected Port — Can send traffic only to uplink ports. • Community Port — A protected port that is associated with a community. It can send traffic to other protected ports in the same community and to uplink ports. • Uplink Port — An uplink port is an unprotected port that can send traffic to any port. • Isolated Port — A protected port that does not belong to a community.
Community — Select the community to which to add the port, or define the port as Isolated. • Configuring Protected Ports Using CLI Commands The following table summarizes the CLI commands for configuring protected ports. Table 10-4. Protected Ports CLI Commands CLI Command Description switchport protected-port Isolates Unicast, Multicast, and Broadcast traffic on a port at Layer 2 from other protected ports on the same switch.
Port Profile Port profiles provide a convenient way to save and share a port configuration. When a port profile, which is a set of CLI commands having a unique name, is applied to a port, the CLI commands contained within the profile (macro) are executed and added to the Running Configuration file. Port profiles can be applied to a specific interface, a range of interfaces, or globally.
4 Select an interface and a Assigned Profile. The Profile Description is displayed. 5 Each profile requires entering various elements of VLAN information. Enter the fields according to the profile: – VLAN Port Mode — Displays the port mode applied to ports in the profile. – VLAN ID-Untagged (1-4094) — Enter the VLAN for untagged traffic. – VLAN ID-Tagged (1-4095) — Enter the VLAN for tagged traffic. – Native VLAN ID(1-4094) — Enter the VLAN ID used for untagged traffic to trunk ports, or check None.
Spanning Tree fields: – Point-to-Point Admin Status — Displays whether a point-to-point links is established. The possible options are: • Enable — Enables the device to establish a point-to-point link, or specifies for the device to automatically establish a point-to-point link. To establish communications over a point-to-point link, the originating PPP first sends Link Control Protocol (LCP) packets to configure and test the data link.
Configuring Port Profile Using CLI Commands The following table summarizes the CLI commands for configuring port profiles. Table 10-5. Port Profiles CLI Commands CLI Command Description macro {apply|trace} macro-name [parameter-name1 {value}] [parameter-name2 {value}] [parameter-name3 {value}] Applies a macro to an interface or traces a macro configuration on an interface.
The following is a script that creates a global macro. Table 10-6. Create a Global Macro Script CLI Command Description console#config Create a macro called interswitch. console(config)# macro name interswitch Enter macro commands one per line. End with the character '@'. vlan database vlan 40-50 @ Enter the commands in the macro, which create VLANs 40 through 50. console(config)# do show parser macro name interswitch Display the macro.
Create an Interface Macro Script (continued) Table 10-7. CLI Command Description console(config)# macro global apply access_port Apply the macro to ports 1-24. Port Configuration If port configuration is modified while the port is a LAG member, the configuration change is only effective after the port is removed from the LAG. To configure a port: 1 Click Switching > Ports > Port Configuration in the tree view to display the Port Configuration: Summary page.
• Disable — Port is currently disabled, and is not receiving or transmitting traffic. – Admin Speed — Select the configured rate for the port. The port type determines the available speed setting options. You can designate Administrative Speed only when port auto-negotiation is disabled. – Current Port Speed — Displays the actual synchronized port speed (bps). – Admin Duplex — Select the port duplex mode (this is only possible if Auto Negotiation is not enabled).
• 100 Full — The port advertises for a 100 mbps speed port and full duplex mode setting. • 1000 Full — The port advertises for a 1000 mbps speed port and full duplex mode setting. – Current Advertisement — Displays the port advertises its speed to its neighbor port to start the negotiation process. The possible field values are those specified in the Admin Advertisement field. – Neighbor Advertisement — Displays the neighboring port’s advertisement settings.
Configuring Ports Using CLI Commands The following table summarizes the CLI commands for configuring ports as displayed in the Port Configuration pages. Table 10-8. Port Configuration CLI Commands CLI Command Description eee enable Enables the EEE mode globally. no eee enable Use the no format of the command to disable the mode. eee lldp enable Enables EEE support by LLDP on an Ethernet port. no eee lldp enable Use the no format of the command to disable the support.
Table 10-8. Port Configuration CLI Commands (continued) CLI Command Description back-pressure Enables Back Pressure on a given interface. no back-pressure Use the no form of this command to disable back pressure. flowcontrol {auto|on|off} no flowcontrol Configures the flow control on a given interface. Use the no form of this command to disable flow control. mdix {on|auto} no mdix Enables automatic crossover on a given interface or Port-channel.
The following is an example of the CLI commands: console(config)# interface gi2/1 console(config-if)# description "RD SW#3" console(config-if)# shutdown console(config-if)# no shutdown console(config-if)# speed 100 console(config-if)# duplex full console(config-if)# negotiation console(config-if)# back-pressure console(config-if)# flowcontrol on console(config-if)# mdix auto console(config-if)# end console# show interfaces configuration gi2/1 Flow Port Type Duplex Speed -------- ------------ -----gi2/1
• LACP — Link Aggregate Control Protocol. LACP-enabled LAGs can exchange information with other links in order to update and maintain LAG configurations automatically. – Description (0 - 64 Characters) — Enter a user-defined description of the configured LAG. – LAG Type — Displays the port types that comprise the LAG. – Admin Status — Enable/disable the selected LAG. – Current Status — Displays the LAG is currently operating.
– Current Advertisement — Displays the speed that the LAG advertises to its neighbor LAG to start the negotiation process. The possible field values are those specified in the Admin Advertisement field. – Neighbor Advertisement — Displays the neighboring LAG advertisement settings. The field values are identical to the Admin Advertisement field values. – Admin Flow Control — Enable/disable flow control on the LAG. Flow Control mode is effective on the ports operating in Full Duplex in the LAG.
Table 10-9. LAG Configuration CLI Commands (continued) CLI Command Description speed {10|100|1000} Configures the speed of the LAG when not using auto negotiation. no speed Use the no form of this command to restore the default configuration. negotiation [capability [capability2…capability5] no negotiation Enables auto negotiation operation for the speed and duplex parameters of a LAG. Use the no form of this command to disable auto-negotiation.
The following is an example of the CLI commands: console(config)# interface port-channel 1 console(config-if)# no negotiation console(config-if)# speed 100 console(config-if)# flowcontrol on console(config-if)# exit console(config)# interface port-channel 2 console(config-if)# shutdown console(config-if)# exit console(config-if)# end console# show interfaces port-channel Channel Ports --------- --------- ch1 Inactive: gi0/(1-3) ch2 Active: gi0/4 Storm Control When Broadcast, Multicast, or Unknown Un
3 Select a port from the Port drop-down list and enter the following fields: – Broadcast Control — Enable/disable forwarding Broadcast packets on the specific interface. – Broadcast Mode — Select the counting mode. The possible options are: – • Multicast & Broadcast — Counts Broadcast and Multicast traffic together towards the bandwidth threshold. • Broadcast Only — Counts only Broadcast traffic towards the bandwidth threshold.
The following is an example of the CLI commands: console(config)# interface gi0/1 console(config-if)# storm-control broadcast enable console(config-if)# storm-control include-multicast unknown-unicast console# show storm-control gi0/1 Port State Rate [Kbits/Sec] Included -------- -------- ---------------- --------------------- gi0/1 8500 Broadcast Disabled Port and VLAN Mirroring Switches usually only forward frames to relevant ports.
Destination Port Restrictions The following restrictions apply to destination ports: • Destination ports cannot be configured as source ports. • Destination ports cannot be a member of a LAG. • IP interfaces cannot be configured on the destination port. • GVRP cannot be enabled on the destination port. • The destination port cannot be a member of a VLAN. • Only one destination port can be defined.
Port and VLAN Mirroring To specify source and destination interfaces for port mirroring: 1 Click Switching > Ports > Port and VLAN Mirroring in the tree view to display the Port Mirroring: Summary page. The previously-defined source interfaces for the selected Destination Interface are displayed, along with the fields defined in the Add page and their status. – Status — Indicates if the port is currently being monitored (Active) or not being monitored (notReady), because of some problem.
Guide\Plasma_UGSwitching_Ports.
Ports
11 Address Tables This section describes how MAC addresses are handled on the device. It contains the following topics: • Overview • Static Address Table • Dynamic Address Table Overview MAC addresses, associated with ports, are stored in the Static Address or the Dynamic Address tables. Packets, addressed to a destination stored in one of these tables, are forwarded to the associated port. MAC addresses are dynamically learned when packets arrive at the device.
2 To add a static address, click Add. 3 Enter the following fields: • Interface — Select a port or LAG for the entry. • MAC Address — Enter the interface MAC address. • VLAN ID — Check and select the VLAN ID for the port. or • VLAN Name — Check and enter the VLAN name. • Status — Select how the entry in the table will be treated. The possible options are: • Permanent — The MAC address is never aged out of the table and, if it is saved to the Startup Configuration, it is retained after rebooting.
Table 11-1. Static Address CLI Commands (continued) CLI Command Description show mac address-table [dynamic|static|secure] [vlan vlan] [interface interface-id] [address mac-address] Displays entries in the MAC address table.
2 Enter Address Aging (10-630). The aging time is a value between the userconfigured value and twice that value minus 1. For example, if you entered 300 seconds, the aging time is between 300 and 599 seconds. 3 To clear the table, check Clear Table. 4 To display a subset of the addresses in a particular order, enter the query criteria and sort key under Query By, and click Query.
Guide\Plasma_UGSwitching_AddressTables.
Address Tables
GARP 12 This section describes how to configure Generic Attribute Registration Protocol (GARP) on the device. It contains the following topics: • Overview • GARP Timers Overview Generic Attribute Registration Protocol (GARP) is a general-purpose protocol that registers network connectivity or membership-style information. GARP defines a set of devices interested in a given network attribute, such as VLAN or Multicast address.
GARP Timers To enable a GARP timer on an interface: 1 Click Switching > GARP > GARP Timers in the tree view to open the GARP Timers: Summary page. The GARP timers are displayed. 2 Click Edit. 3 Select an interface, and enter the fields: – GARP Join Timer (10 - 2147483640) — Enter the time, in milliseconds, during which Protocol Data Units (PDU) are transmitted. – GARP Leave Timer (10 - 2147483640) — Enter the time interval, in milliseconds, which the device waits before leaving its GARP state.
Guide\Plasma_UGSwitching_GARP.fm The following is an example of the CLI commands: console(config)# interface gi0/1 console(config-if)# garp timer leave 900 console(config-if)# end console# show gvrp configuration gi0/11 GVRP Feature is currently Disabled on the device.
GARP
13 Spanning Tree This chapter describes the Spanning Tree Protocol. It contains the following topics: • Overview • Global Settings • STP Port Settings • STP LAG Settings • Rapid Spanning Tree • Multiple Spanning Tree Overview Spanning Tree Protocol (STP) provides tree topography for any bridge arrangement. STP eliminates loops by providing a unique path between end stations on a network. Loops occur when alternate routes exist between hosts.
Although Classic STP is guaranteed to prevent Layer 2 forwarding loops, in a general network topology, there might be an unacceptable delay before convergence. This means that before convergence, each bridge or switch in the network must decide if it should actively forward traffic or not, on each of its ports. For more information on configuring Rapid STP, see Rapid Spanning Tree. • Multiple STP (MSTP) — MSTP is based on RSTP.
Global Settings To enable STP and select the STP mode on the device: 1 Click Switching > Spanning Tree > Global Settings in the tree view to display the Global Settings page. The currently-defined settings are displayed. 2 Enter the fields: – Spanning Tree State — Enable Spanning Tree on the device. – STP Operation Mode — Select the STP mode enabled on the device. The possible options are: – – • Classic STP — Enables Classic STP on the device. • Rapid STP — Enables Rapid STP on the device.
The default path costs assigned to an interface vary according to the selected method: Interface Long Cost Short Cost LAG 20,000 4 1000 Mbps 20,000 4 100 Mbps 200,000 19 10 Mbps 2,000,000 100 Bridge Settings – Priority (0-61440 in steps of 4096) — Enter the bridge priority value. When switches or bridges are running STP, each is assigned a priority. After exchanging BPDUs, the device with the lowest priority value becomes the Root Bridge. The default value is 32768.
– Last Topology Change — The amount of time that has elapsed since the bridge was initialized or reset, and the last topographic change occurred. Defining STP Global Parameters Using CLI Commands The following table summarizes the CLI commands for defining STP global parameters as displayed in the Global Settings pages. Table 13-1. STP Global Parameter CLI Commands CLI Command Description spanning-tree Enables spanning tree functionality.
Table 13-1. STP Global Parameter CLI Commands (continued) CLI Command Description spanning-tree max-age seconds Configures the spanning tree bridge maximum age. no spanning-tree max-age Use the no form of this command to restore the default configuration Configures the spanning tree bridge forward time, which is the amount of time no spanning-tree forward-time a port remains in the listening and learning states before entering the forwarding state.
STP Port Settings To assign STP properties to individual ports: 1 Click Switching > Spanning Tree > STP Port Settings in the tree view to display the STP Port Settings: Summary page. The ports and their STP settings are displayed. 2 To modify STP settings on a port, click Edit. 3 Select the port, and enter the fields: – STP — Enable/disable STP on the port. – Fast Link — Check to enable Fast Link mode for the port.
– 318 Role — Displays the port role assigned by the STP algorithm that provides STP paths. The possible options are: • Root — This port provides the lowest cost path to forward packets to root switch. • Designated — This port is the interface through which the bridge is connected to the LAN, which provides the lowest cost path from the LAN to the Root Bridge. • Alternate — This port provides an alternate LAG to the root switch from the root interface.
Defining STP Port Settings Using CLI Commands The following table summarizes the CLI commands for defining STP port parameters as displayed in the STP Port Settings page. Table 13-2. STP Port Settings CLI Commands CLI Command Description spanning-tree disable Disables spanning tree on a specific port. no spanning-tree disable Use the no form of this command to enable the spanning tree on a port.
The following is an example of the CLI commands: console> enable console# configure console(config)# interface gi0/1 console(config-if)# spanning-tree disable console(config-if)# spanning-tree cost 35000 console(config-if)# spanning-tree port-priority 96 console(config-if)# spanning-tree portfast console(config-if)# exit console(config)# exit console# show spanning-tree gi0/8 instance 12 Port gi0/8 enabled State: discarding Role: alternate Port ID: 128.
– STP — Enable/disable STP on the LAG. – Fast Link — Check to enable Fast Link mode for the LAG. If Fast Link mode is enabled for a LAG, the LAG State is automatically placed in Forwarding when the LAG is up. Fast Link mode optimizes the time it takes for the STP protocol to converge. STP convergence can take from 30-60 seconds in large networks. – BPDU Guard — Check to enable BPDU Guard on the LAG.
• Designated — This LAG is the interface through which the bridge is connected to the LAN, which provides the lowest cost path from the LAN to the Root Bridge. • Alternate — This LAG provides an alternate LAG to the root switch from the root interface. • Backup — This LAG provides a backup path to the designated port. Backup ports occur only when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more connections connected to a shared segment.
The following is an example of the CLI commands: console(config)# interface port-channel 1 console(config-if)# spanning-tree disable console(config-if)# spanning-tree cost 35000 console(config-if)# spanning-tree port-priority 96 console(config-if)# spanning-tree portfast Rapid Spanning Tree While classic spanning tree prevents Layer 2 forwarding loops on a general network topology, convergence can take from 30 to 60 seconds. This delay provides time to detect possible loops, and propagate status changes.
Backup — This port provides a backup path to the designated port. Backup ports occur only when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more connections connected to a shared segment. • Disabled — This port is not participating in the Spanning Tree. – Mode — Displays if RSTP is enabled. – Fast Link Operational Status — Displays if Fast Link is enabled or disabled for the port or LAG.
– Point-to-Point Operational Status — Displays the Point-to-Point operating state. – Active Protocol Migration Test — Check to run a Protocol Migration test. This discovers whether the link partner using STP still exists, and if so whether it has migrated to RSTP or MSTP. If it still exists as an STP link, the device continues to communicate with it by using STP. Otherwise, if it has been migrated to RSTP or MSTP, the device communicates with it using RSTP or MSTP, respectively.
Multiple Spanning Tree This section describes Multiple Spanning Tree Protocol (MSTP). It contains the following topics: • MSTP Overview • MSTP Properties • VLAN to MSTP Instance • MSTP Instance Settings • MSTP Interface Settings MSTP Overview MSTP maps VLANs into STP instances, using various load balancing scenarios. As a result of this partitioning into instances, if port A is blocked in one STP instance, the same port can be placed in the Forwarding State in another STP instance.
– IST Master — Displays the Internal Spanning Tree Master ID. The IST Master is the instance 0 root. Configuring MST Properties Using CLI Commands The following table summarizes the CLI commands for configuring MST properties in the MSTP Properties pages. Table 13-4. MSTP Properties CLI Commands CLI Command Description spanning-tree mst configuration Enters MST Configuration mode.
Guide\Plasma_UGSwitching_STP.
4 Enter the fields: – Select MST Instance ID — Select an MST instance. – VLANs — Enter the VLANs being mapped to this instance. – Action — Select the mapping action. The possible options are: • Add —Add these VLANS to the MST instance. • Remove —Remove these VLANS from the MST instance. Mapping VLAN to MSTP Instances Using CLI Commands The following table summarizes the CLI commands for mapping VLANs to MSTP instances. Table 13-5.
4 The following fields are displayed: – Included VLANs — Displays VLANs included in this instance. – Designated Root Bridge ID — Priority and MAC address of the Root Bridge for the MST instance. – Root Port — Root port of the selected instance. – Root Path Cost — Root path cost of the selected instance. – Bridge ID — Bridge priority and the MAC address of this switch for the selected instance. – Remaining Hops — Number of hops remaining to the next destination.
MSTP Interface Settings To assign interfaces to MSTP instances: 1 Click Switching > Spanning Tree > MSTP Interface Settings in the tree view to display the MSTP Interface Settings: Summary page. MSTP interface settings for the selected instance is displayed. 2 To set MSTP settings for an interface, click Edit. 3 Select an instance, and enter the fields: – Interface ID — Assign either ports or LAGs to the selected MSTP instance.
– Path Cost (1-200,000,000) — Enter the port contribution to the Spanning Tree instance. If a loop occurs, the spanning tree considers path cost when selecting an interface to put in the Forwarding state. – Default Path Cost — Check to use the default path cost. – Designated Bridge ID — Displays the bridge ID number that connects the link or shared LAN to the root. – Designated Port ID — Displays the Port ID number on the designated bridge that connects the link or the shared LAN to the root.
Guide\Plasma_UGSwitching_STP.
Spanning Tree
VLANs 14 This chapter describes how VLANs are configured on the device. It contains the following topics: • Overview • VLAN Membership • Port Settings • LAG Settings • Protocol Groups • Protocol Port • GVRP Parameters • Private VLAN • Voice VLAN Overview A VLAN is a switched network that is logically segmented on an organizational basis, by functions, project teams, or applications rather than on a physical or geographical basis.
bridging domain. The bridging domain is supported on various pieces of network equipment; for example, LAN switches that operate bridging protocols between them with a separate bridge group for each VLAN. VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management.
4 The egress rules define whether the frame is to be sent as tagged or untagged. Special-case VLANs VLAN#1 and VLAN#4095 are special-case VLANs: • VLAN1 — Defined as the default VLAN, and may only be used as a Ports Default VLAN ID (PVID). This means that if the VLAN, whose VID is the current port's PVID, is deleted from the port (or from the system), that port's PVID is set to 1. VLAN#1 cannot be deleted from the system.
• Trunk Ports Ports set to Trunk mode may belong to multiple VLANs. The default VLAN membership of a trunk port is all VLANs (1-4094). A PVID must be set on the port (it can be a non-existing VLAN). Trunk ports accept tagged and untagged frames. Untagged frames will be classified to the VLAN whose VLAN ID (VID) is configured as the port’s PVID. Frames, sent from the port in the VLAN, whose VID is the current PVID, are sent untagged. Frames sent in all other VLANs active on the port are sent tagged.
• Isolated An isolated port has complete Layer 2 isolation from the other ports within the same PVLAN, but not from the promiscuous ports. Isolated ports can communicate with promiscuous ports. In the factory default configuration, all ports are designated as Access ports, and are associated with the default VLAN. Acceptable Frame Type The acceptable frame type can be set on a port to accept all frames (tagged and untagged), tagged only, or untagged only.
2 Enter the fields: – Show VLAN — Check one of the possible options: • VLAN ID — Check VLAN ID, and select a VLAN ID to view. • VLAN Name — Check VLAN Name, and select a VLAN ID to view. – VLAN Name (0-32 Characters) — Enter a new VLAN name. – Status — The VLAN type. Possible values are: – • Dynamic — The VLAN was dynamically created through GVRP. • Static — The VLAN is user-defined. Authentication Not Required — Enable/disable authentication on the VLAN.
The following is an example of the CLI commands: console(config)# vlan database console(config-vlan)# vlan 1972 console(config-vlan)# end console(config)# interface vlan 1972 console(config-if)# name Marketing console(config-vlan)# dot1x auth-not-req console(config-if)# end Port Settings After a VLAN has been defined, assign ports to it. To assign a VLAN to untagged packets, arriving on the device, enter the port default VLAN ID (PVID).
• Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types that are accepted on the port cannot be designated. Ingress filtering cannot be enabled/disabled on an access port. • Trunk — The port belongs to VLANs on which all ports are tagged (except for one port that can be untagged). • General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode).
• Admit All — Both tagged and untagged packets are accepted on the port. • Admit Tagged Only — Only tagged packets are accepted on the port. • Admit Untagged Only — Only untagged packets are accepted on the port. – Ingress Filtering — Enable/disable ingress filtering, which discards packets that are destined to VLANs of which the specific port is not a member. – Native VLAN ID(1-4094) — Enter VLAN used for untagged traffic to trunk ports.
Table 14-2. Port-to-VLAN Group Assignments CLI Commands (continued) CLI Command Description switchport access vlan {vlan-id | Configures the VLAN ID when the none} interface is in access mode. no switchport access vlan Use the no form of this command to restore the default configuration. switchport trunk allowed vlan {all |none|add vlan-list|remove vlan-list|except vlan-list} Sets the trunk characteristics when the interface is in Trunking mode.
The following is an example of the CLI commands: console(config)# vlan database console(config-vlan)# vlan 23-25 console(config-vlan)# end console(config)# interface vlan 23 console(config-if)# name Marketing console(config-if)# end console(config)# interface gi0/5 console(config-if)# switchport mode access console(config-if)# switchport access vlan 23 console(config-if)# end console(config)# interface gi0/6 console(config-if)# switchport mode trunk console(config-if)# switchport mode trunk allowed vlan add
2 To modify the LAG settings, click Edit, and enter the fields: – LAG — Select the LAG to be modified. – Switchport Mode (Layer 2+ mode)— Enter the LAG system mode. The possible options are: – 346 • Layer 2— Set the LAG to layer 2 mode. • Layer 2+— Set the LAG to layer 3 mode. in which static routing is supported. Port VLAN Mode — Enter the port VLAN mode. The possible options are: • General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode).
– VLAN List (I - Inactive Configuration) — Enter the VLAN(s) to which this LAG belongs, and indicate its type. The possible options are: • T — Tagged. The LAG is a member of a VLAN. All packets forwarded by the LAG are tagged. The packets contain VLAN information. • U — Untagged. The LAG is a member of a VLAN. Packets forwarded by the LAG are untagged. • F — Forbidden. The LAG is denied membership to a VLAN. Click Add to move the LAG to the VLAN list together with its type.
Protocol Groups Protocol groups are based on protocol-based VLANs. Protocol-based VLANs Untagged frames received on a VLAN-aware switch can be classified by methods others than source port, such as data-link-layer protocol identification. This classification method is referred to as protocol-based VLANs. Protocol-based VLANs are useful for isolating Layer 2 traffic of various Layer 3 protocols.
Similarly, there may be implied dependencies between encapsulations, so that specifying an encapsulation implies defining the protocol group for related encapsulations. An example of this is specifying the Ethernet encapsulation, even by default, implies IEEE802 encapsulation, as per RFC 1042. The following standards are relevant: • IEEE802.1V defines VLAN assignment by protocol type.
Defining VLAN Protocol Groups Using CLI Commands The following table summarizes the CLI commands for defining VLAN Protocol groups. Table 14-3. VLAN Protocol Groups CLI Commands CLI Command Description map protocol protocol [encapsulation-value] protocols-group group Maps a protocol to a protocol group. Protocol groups are used for protocolbased VLAN assignment. no map protocol protocol [encapsulation] Use the no form of this command to delete a protocol from a group.
Defining Protocol Ports Using CLI Commands The following table summarizes the CLI command for defining protocol ports. Table 14-4. Protocol Port CLI Commands CLI Command Description switchport general map protocols-group group vlan vlan-id Sets a protocol-based classification rule. Use the no form of this command to delete a classification.
3 Check Ports and select either an External or Internal port to view ports on the device, or select LAGs to view the LAGs in the system. 4 To set GVRP for an interface, click Edit, and enter the fields: – Interface — Specifies port or LAG for editing GVRP settings. – GVRP State — Enable/disable GVRP on the interface. – Dynamic VLAN Creation — Enable/disable Dynamic VLAN creation on the interface. – GVRP Registration — Enable/disable VLAN registration through GVRP on the interface.
Table 14-5. GVRP Global Parameters CLI Commands (continued) CLI Command Description show gvrp configuration Displays GVRP configuration information, including timer values, whether GVRP and dynamic VLAN creation is enabled, and which ports are running GVRP. [interface-id]|detailed] show gvrp error-statistics [interface-id] Displays GVRP error statistics. show gvrp statistics [interface-id] Displays GVRP statistics. clear gvrp statistics Clears all the GVRP statistics information.
Private VLAN Private VLANs (PVLANs) provide Layer 2 isolation between ports that share the same Broadcast domain, or in other words, they create a point-to-multipoint Broadcast domain. The ports can be located anywhere in the Layer 2 network, as opposed to protected ports which must be in the same stack.
– Associate Primary VLAN — If the Private VLAN type is Isolated, check to associate the isolated VLAN with a primary VLAN, thus allowing traffic between isolated and promiscuous ports. – Primary VLAN ID — Select a VLAN to be associated with the isolated VLAN. 4 To assign ports to the private VLAN, click Membership. 5 Select a Primary VLAN ID. 6 Select an Isolated VLAN ID. 7 Select the ports to be assigned to each VLAN, and assign each port/LAG a port type in the Admin row of ports/LAGs.
Table 14-6. Private VLAN CLI Commands (continued) CLI Command Description switchport private-vlan mapping primary-vlan-id [add|remove] secondary-vlanlist Configures the VLANs of the privatevlan promiscuous port. Use the no form of this command to reset to default no switchport private-vlan mapping switchport private-vlan hostassociation primary-vlan-id secondary-vlan-id no switchport private-vlan host-association show vlan private-vlan [tag vlan-id] Configures the VLANs of the privatevlan host port.
Overview The Voice VLAN feature enables you to enhance VoIP service by configuring ports to carry IP-voice traffic from IP phones on a specific VLAN. This VLAN is configured with a QoS profile that ensures high voice quality. Equipment, such as VOIP phones, transmits IP traffic with a pre-configured Organizational Unique Identifier (OUI) prefix in the source MAC address. This enables the switch to dynamically identify ports connected to the VoIP equipment and automatically add these ports to the Voice VLAN.
– Class of Service — Select to add a CoS level to untagged packets, received on the voice VLAN. The possible values are 0 to 7, where 7 is the highest priority. 0 is used as a best-effort, and is invoked automatically when no other value has been set. – Remark CoS — Select Enable to use the Remark CoS feature. – Voice VLAN Aging Time — Enter the interval of time after which the port exits the voice VLAN, if no voice packets are received.
Table 14-7. Voice VLAN Properties CLI Commands (continued) CLI Command Description show voice vlan [type oui] [interface-id|detailed] Use the show voice vlan EXEC command to display the voice VLAN status.
Port Setting To configure voice VLAN ports properties: 1 Click Switching > VLAN > Voice VLAN > Port Setting in the tree view to display the Port Setting: Summary page. A list of the ports and their voice VLAN settings is displayed. 2 To modify the voice VLAN settings for an interface, click Edit, and enter the fields: – Interface — Enter the specific port or LAG to which the Voice VLAN settings are applied. – Voice VLAN Mode — Select the Voice VLAN mode.
Defining Voice VLAN Port Settings Using CLI Commands The following table summarizes the CLI command for defining Voice VLAN port settings. Table 14-8. Voice VLAN Port Settings CLI Commands CLI Command Description voice vlan enable Enables OUI voice VLAN on a port. no voice vlan enable Use the no form of this command to disable OUI voice VLAN on a port.
To view existing OUIs, and add new OUIs: 1 Click Switching > VLAN > Voice VLAN > OUI in the tree view to display the OUI Summary. The previously-defined OUIs are displayed. 2 To add a new OUI, click Add, and enter the fields: – Telephony OUI — Enter a new OUI. – Description — Enter an OUI description up to 32 characters. Defining Voice VLAN OUIs Using CLI Commands The following table summarizes the CLI command for defining Voice VLAN OUIs. Table 14-9.
15 Link Aggregation This section describes link aggregation of ports. It contains the following topics: • Overview • LACP Parameters • LAG Membership Overview Link Aggregation optimizes port usage by linking a group of ports together to form a single LAG (aggregated group). Aggregating ports multiplies the bandwidth between the devices, increases port flexibility, and provides link redundancy. The device supports the following types of LAGs: • Static LAGs — Manually-configured LAGs.
• All ports in the LAG have the same back pressure and flow control modes. • All ports in the LAG have the same priority. • All ports in the LAG have the same transceiver type. • The device supports up to 32 LAGs, and eight ports in each LAG. • Ports can be configured as LACP ports only if the ports are not part of a previously configured LAG. Ports added to a LAG lose their individual port configuration. When ports are removed from the LAG, the original port configuration is applied to the ports.
3 To modify LACP parameters for a particular port, click Edit, and enter the following fields: – Select a Port — Select the port for which timeout and priority values are assigned. – LACP Port Priority (1-65535) — Enter the LACP priority value for the port. – LACP Timeout — Select the rate of periodic transmissions of LACP PDUs.
The following is an example of the CLI commands: console (config)# lacp system-priority 120 console (config)# interface gi0/8 console (config-if)# lacp port-priority 247 console (config-if)# lacp timeout long console (config-if)# end console# show lacp gi0/8 statistics Port gi0/7 LACP Statistics: LACP PDUs sent:2 LACP PDUs received:2 LAG Membership Each device supports up to 32 LAGs per system, and eight ports per LAG. When you add a port to a LAG, the port acquires the LAG’s properties.
4 In the LACP row (the first row), toggle the button under the port number to assign either the LACP or the static LAG. 5 In the LAG row (the second row), toggle the button to a specific number to aggregate or remove the port to that LAG number. Adding Ports to LAGs Using CLI Commands The following table summarizes the CLI commands for assigning ports to LAGs as displayed in the LAG Membership pages. Table 15-2.
Link Aggregation
16 Multicast Support This chapter describes Multicast support on the device. It contains the following topics: • Overview • Global Parameters • Bridge Multicast Groups • Bridge Multicast Forward All • IGMP Snooping • MLD Snooping • Unregistered Multicast • Multicast TV VLAN Overview Multicast forwarding enables a single packet to be forwarded to multiple destinations. Layer 2 Multicast service is based on a Layer 2 device receiving a single packet addressed to a specific Multicast address.
The device supports: • Forwarding L2 Multicast Packets — Forwards Layer 2 Multicast packets. Layer 2 Multicast filtering is enabled by default, and is not user-configurable. • Filtering L2 Multicast Packets — Forwards Layer 2 packets to interfaces. If Multicast filtering is disabled, Multicast packets are flooded to all relevant ports. NOTE: The system supports Multicast filtering for 256 Multicast groups.
MLD Snooping Hosts use the MLD protocol to report their participation in Multicast sessions, and the device uses MLD snooping to build Multicast membership lists. It uses these lists to forward Multicast packets only to device ports where there are host nodes that are members of the Multicast groups. The device does not support MLD Querier. Hosts use the MLD protocol to report their participation in Multicast sessions.
2 Enter the fields: 372 – Bridge Multicast Filtering — Enable/disable Multicast filtering. Enabled is the default value. – IGMP Snooping Status — Enable/disable IGMP Snooping on the device. Disabled is the default value. – IGMP Querier Status— Enable/disable IGMP Querier. Disabled is the default value. Enable IGMP querier if IGMP snooping is enabled. IGMP querier fills the tables used by IGMP snooping. – MLD Snooping Status — Enable/disable MLD Snooping on the device. Disabled is the default value.
Enabling Multicast Filtering and IGMP Snooping Using CLI Commands The following table summarizes the CLI commands for enabling Multicast Filtering and IGMP snooping as displayed on the Global Parameters page. Table 16-1. Multicast Filtering and Snooping CLI Commands CLI Command Description bridge multicast filtering Enables filtering of Multicast addresses. no bridge multicast filtering Use the no form of this command to disable Multicast address filtering. ip igmp snooping Enables IGMP Snooping.
The following is an example of the CLI commands: console(config)# bridge multicast filtering console(config)# ip igmp snooping console(config) ipv6 mld snooping Bridge Multicast Groups The Bridge Multicast Group: Summary page displays the ports and LAGs attached to a Multicast service group and the manner in which the port or LAG joined it.
– Source IP Address— Enter the source IP address to be used in outgoing packets. – Ports — Select the ports to be added to a Multicast service. Toggle a port to S to join the port to the selected Multicast group as a static port. Toggle a port to F to indicate that it is Forbidden to this service. Leave the field empty if it is not involved in the VLAN. – LAGs — Select the LAGs to be added to a Multicast service. Toggle a LAG to S to join the port to the selected Multicast group as a static LAG.
Managing Bridge Multicast Groups Using CLI Commands The following table summarizes the CLI commands for managing Multicast service members as displayed in the Bridge Multicast Group pages. Table 16-3. Bridge Multicast Group CLI Commands CLI Command Description bridge multicast address {macmulticast-address | ipv4multicast-address} [[add | remove] {ethernet interface-list | port-channel port-channellist}] Registers MAC-layer Multicast addresses to the bridge table, and adds static ports to the group.
Guide\Plasma_UGSwitching_Multicast.fm The following is an example of the CLI commands: console(config-if)# bridge multicast address 0100.5e02.0203 add gi0/7,gi0/8 console(config-if)# end console # show bridge multicast address-table VLAN MAC Address Type Ports ---- ----------- ----- ---------- 1 0100.5e02.0203 static gi0/5, gi0/6 Forbidden ports for multicast addresses: VLAN MAC Address Ports ---- ----------- ---------- 1 0100.5e02.0203 gi0/8 19 0100.5e02.
To attach interfaces to a Multicast service: 1 Click Switching > Multicast Support > Bridge Multicast Forward All in the tree view to display the Bridge Multicast Forward All page. 2 Select a VLAN and click on the ports and LAGs to be attached to the Multicast service. Toggle a port to S to join the port to the selected Multicast group as a static port. Toggle a port to F to add it as a Forbidden port. Two rows of ports and LAGs are displayed: – Static — Displays available static ports/LAGs.
Filtering: Enabled VLAN: Forward-All Port Static Status ------- ----------------- ----------- gi0/3 Forbidden Filter gi0/4 Forward Forward(s) gi0/5 - Forward(d) IGMP Snooping IGMP Snooping can be enabled globally, as described in the Global Parameters page. It can also be enabled per VLAN to support selective IPv4 Multicast forwarding. In this case, Bridge Multicast filtering must also be enabled.
To enable IGMP Snooping on a VLAN: 1 Click Switching Multicast Support IGMP Snooping in the tree view to display the IGMP Snooping page. The IGMP snooping information for the VLANs on the switch is displayed. 2 To enable IGMP Snooping on a VLAN, click Edit and select the VLAN from the VLAN ID drop down menu. 3 Enter the fields: 380 • IGMP Snooping Status — Enable/disable the monitoring of network traffic to determine which hosts have asked to be sent Multicast traffic.
• Operational Last Member Query Counter — Displays the operational value of the Last Member Query counter. • Last Member Query Interval (100-25500) — Enter the time between two consecutive group-specific queries that are sent by the querier. • Operational Last Member Query Interval — Displays the Last Member Query Interval sent by the elected querier. • Intermediate Leave — Enable/disable an immediate timeout period. The default timeout is 10 seconds.
Table 16-5. IGMP Snooping CLI Commands (continued) CLI Command Description Enables automatic learning of Multicast router ports in the context of no ip igmp snooping vlan vlan- a specific VLAN. id mrouter learn pim-dvmrp Use the no form of this command to remove the configuration. ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp ip igmp robustness count no ip igmp robustness Changes the value of the IGMP robustness variable. Use the no format of the command to return to default.
Table 16-5. IGMP Snooping CLI Commands (continued) CLI Command Description ip igmp snooping vlan vlan-id querier address ip-address Defines the source IP address that the IGMP Snooping querier would use. no ip igmp snooping vlan vlan- Use the no form of this command to id querier address return to default. show ip igmp snooping groups Displays the Multicast groups learned [vlan vlan-id] [address ipby IGMP snooping.
The following is an example of the CLI commands: console (config)# ip igmp snooping console (config)# interface vlan 1 console (config-if)# ip igmp snooping mrouter learn-pim-dvmrp console (config)# interface vlan 1 console (config-if)# ip igmp snooping leave-time-out 60 console # do show ip igmp snooping groups VLAN IP Address Querier Ports ---- ---------- ------ ---------------------- 1 |2.2.3 Yes gi0/1, gi0/2 224-239.
MLD Snooping To enable MLD Snooping and configure it on a VLAN: 1 Click Switching > Multicast Support > MLD Snooping. 2 Enable or disable MLD Snooping Status. When MLD Snooping is globally enabled, the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic. The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filtering are enabled. 3 Click Edit and enter the parameters. • VLAN ID—Select the VLAN ID.
• Operational Query Max Response Interval—Displays the delay used to calculate the Maximum Response Code inserted into the General Queries. • Last Member Query Counter (1-7)—Enter the Last Member Query Count to be used if the device cannot derive the value from the messages sent by the elected querier. • Operational Last Member Query Counter—Displays the operational value of the Last Member Query Counter.
Configuring IGMP Snooping Using CLI Commands The following table summarizes the CLI commands for configuring IGMP snooping on a VLAN: Table 16-6. IGMP Snooping CLI Commands CLI Command Description ipv6 mld snooping Enables MLD Snooping. no ipv6 mld snooping Use the no form of this command to disable MLD Snooping. ipv6 mld snooping vlan vlan-id Enables MLD Snooping on a specific VLAN. no ipv6 mld snooping vlan vlan-id Use the no form of this command to disable MLD Snooping on a specific VLAN.
Table 16-6. IGMP Snooping CLI Commands (continued) CLI Command Description ipv6 mld last-member-querycount count Configures the Last Member Query Counter. no ipv6 mld last-member-query- Use the no format of the command to count return to default. ipv6 mld last-member-queryinterval milliseconds Configures the Last Member Query Interval. no ipv6 mld last-member-query- Use the no format of the command to interval return to default.
. console# show ipv6 mld snooping groups VLAN Group Address Source Address ---- Include Ports Exclude Ports Compatibility Mode 1 ------- 1 FF12::3 FE80::201:C9FF:FE40:8001 ------ ------- -------------- FE80::201:C9FF:FE40:8002 te1 te2 te9 te1 te10 19 FF12::3 FE80::201:C9FF:FE40:8003 19 FF12::8 FE80::201:C9FF:FE40:8004 19 FF12::8 FE80::201:C9FF:FE40:8005 --------------------- FF12::8 1 1 2 te2 te3 2 2 MLD Reporters that are forbidden statically: VLAN Group Address Source Addr
console# show ipv6 mld snooping mrouter interface 1000 VLAN Static Dynamic Forbidden 1000 te1 te2 te3-23 Unregistered Multicast Multicast frames are generally forwarded to all ports in the VLAN. If IGMP Snooping is enabled, the device learns about the existence of Multicast groups and tracks which ports have joined what Multicast group. Multicast groups can also be statically enabled.
Configuring Unregistered Multicast Using CLI Commands The following table summarizes the CLI commands for configuring unregistered Multicast on the device: Table 16-7. Unregistered Multicast CLI Commands CLI Command Description bridge multicast unregistered {forwarding | filtering} Configures the forwarding state of unregistered Multicast addresses on a port or LAG. Before using this command, enter the Interface Configuration mode as shown in the example.
Multicast TV VLAN Overview The Multicast TV VLAN feature provides the ability to supply Multicast transmissions to Layer 2-isolated subscribers, without replicating the Multicast transmissions for all subscriber VLANs. The subscribers are the only receivers of the Multicast transmissions. • A Multicast TV VLAN can be defined for an Access port (a port that is in Access mode for VLAN membership). • All static VLANs are permitted to be a Multicast-TV VLAN. • The configuration is performed per port.
Displaying Multicast TV VLAN Membership Using CLI Commands The following table summarizes the CLI command for displaying Multicast TV VLAN membership: Table 16-8. Multicast TV VLAN Membership CLI Commands CLI Command Description show vlan multicast-tv vlan vlan-id Displays information on the source ports and receiver ports of multicast-TV VLAN.
Mapping Multicast TV VLANs to IP Addresses Using CLI Commands The following table summarizes the CLI command for mapping Multicast TV VLANs to Multicast IP addresses: Table 16-9. Unregistered Multicast CLI Commands CLI Command Description ip igmp snooping vlan vlan-id multicast-tv ip-multicast-address [count number] Defines the Multicast IP addresses that are associated with a Multicast-TV VLAN.
LLDP 17 The section describes the Link Layer Discovery Protocol (LLDP). It contains the following topics: • Overview • LLDP Properties • LLDP Port Settings • MED Network Policy • MED Port Settings • Neighbors Information Overview The Link Layer Discovery Protocol (LLDP) enables network managers to troubleshoot and enhance network management by discovering and maintaining network topologies over multi-vendor environments.
The advertising device transmits multiple advertisement message sets in a single LAN packet. The multiple advertisement message sets are sent in the packet’s Type Length Value (TLV) field. LLDP devices must support chassis and port ID advertisements, as well as system name, system ID, system description, and system capability advertisements.
– Hold Multiplier (2-10) — Enter the hold time to be sent in the LLDP update packets, as a multiple of the timer value. – Reinitializing Delay (1-10) — Enter the minimum time, in seconds, that an LLDP port waits before reinitializing LLDP transmission. – Transmit Delay (1-8192) — Enter the amount of time that passes between successive LLDP frame transmissions, due to changes in the LLDP local systems MIB. To use the default values for any field, select Use Default.
Table 17-1. LLDP Properties CLI Commands (continued) CLI Command Description lldp tx-delay seconds Specifies the delay between successive LLDP frame transmissions. no lldp tx-delay Use the no form of this command to restore the default configuration.
– – Tx & Rx — Enables LLDP on transmitting and receiving LLDP packets. Disable — LLDP is disabled on the port. 4 Move the optional TLVs that the switch should advertise from the Available TLV list to the Optional TLV list. The TLVs advertise the following: – Port Description — Information about the port, including manufacturer, product name, and hardware/software version. – System Name — System's assigned name (in alpha-numeric format). This value equals the sysName object.
Configuring LLDP Port Settings Using CLI Commands The following commands are used to configure LLDP on ports. Table 17-2. LLDP Port Settings CLI Commands CLI Command Description lldp transmit Enables transmitting LLDP on an interface. no lldp transmit Use the no form of this command to stop transmitting LLDP on an interface. lldp receive Enables receiving LLDP on an interface. no lldp receive Use the no form of this command to stop receiving LLDP on an interface.
For network policies to be implemented, they must be created and then associated with ports. Before policies are defined, the administrator must create the VLANs, and configure memberships in the VLANs, based on the specification in the LLDP-MED network policies. To add a MED network policy: 1 Click Switching > LLDP > MED Network Policy in the tree view to display the MED Network Policy: Summary page. Previously-defined network policies are displayed.
The following is an example of the CLI commands: console(config)# lldp med network-policy 1 voicesignaling vlan 1 MED Port Settings To assign MED network policies to ports: 1 Click Switching > LLDP > MED Port Settings in the tree view to display the MED Port Settings: Summary page. 2 All ports are displayed along with the following fields: – LLDP MED Status — Specifies if LLDP-MED is enabled on the selected port. – Network Policy — Specifies whether a network policy is assigned to the port.
– Location ECS ELIN (10-25 Bytes in Hex) — Displays the device’s ECS ELIN location. 5 To view MED details for a port, click Detail and select a port. The following fields are displayed for the port: – Auto-Negotiation Status — Enabled specifies that auto-negotiation is enabled on the port; Disabled indicates that it is not. – Advertised Capabilities — The list of port capabilities advertised for the port. – MAU Type — The Media Attachment Unit type.
– – Location Type — Displays the port’s LLDP location type: • Coordinates — Device’s location map coordinates. • Civic Address — Device’s civic or street address location, for example 414 23rd Ave E. • ECS ELIN — Device’s ECS ELIN location. Location Address — Displays the port’s LLDP location, according to the Location Type. Configuring MED on Ports Using CLI Commands The following commands are used to set the fields in the MED Port Settings pages. Table 17-4.
The following is an example of the CLI commands: console(config)# interface gi0/3 console(config)# lldp med location civic-address 6162636465 console# show lldp med configuration Fast Start Repeat Count: 4.
The following fields are displayed for each port on the device that has a discovered neighbor: – Port — Port number for which neighboring information is displayed – Device ID — Neighboring device ID – System Name — Name of the neighboring system – Port ID — Neighboring port ID – Capabilities — Neighboring device capabilities 2 Click Clear Neighbors Table to delete all the entries or select Remove to delete a specific port entry.
Configuring LLDP Neighbors Using CLI Commands The following commands are used to configure LLDP neighbors. Table 17-5.
LLDP
UDLD 18 NOTE: This feature is only supported on the R1-2210 device. This section describes how the Unidirectional Link Detection (UDLD) feature. It covers the following topics: • Overview • UDLD Global Settings • UDLD Interface Settings • UDLD Neighbors Overview Unidirectional Link Detection (UDLD) is a Layer 2-protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to detect unidirectional links.
• Bidirectional—Traffic sent by a local device is known to be received by its neighbor, and traffic from the neighbor is received by the local device. • Shutdown—The link is unidirectional. Traffic sent by a local device is received by its neighbor, but traffic from the neighbor is not received by the local device. • Undetermined—The system cannot determine the state of the port, because of one of the following is occurring: – The neighbor does not support UDLD.
• UDLD receives UDLD messages from neighboring devices. It caches these messages until the expiration time (3 times message time) has passed. If a new message is received before the expiration time, the information in that message replaces the previous one. • When the expiration time expires, the device does the following with the information received: • – If the neighbor message contains the local device ID—The link status of the port is set to bidirectional.
Inconsistent UDLD Mode in Local and Neighboring Device It is possible for the local device and its neighbor to be set to a different UDLD mode (normal, aggressive). The UDLD mode is not contained in the UDLD messages, so that the local device does not know the UDLD mode of the neighbor and vice versa. If the UDLD modes are different on the local and neighbor devices, the devices act as follows: • When the UDLD state of the link is bidirectional or unidirectional, both devices shut down their ports.
• Set the message time according to how urgent it is to shut down ports with a unidirectional link. The lower the message time, the more UDLD packets are sent and analyzed, but the sooner the port is shut down if the link is unidirectional. • If you want UDLD to be enabled on a copper port, you must enable it per port. When you globally enable UDLD, it is only enabled on fiber ports.
Common UDLD Tasks This section describes some common tasks to setup UDLD. Workflow1: To globally enable UDLD on fiber ports, perform the following steps: • Open the Switching > UDLD > UDLD Global Settings page. – Enter the Message Time. – Select either Disabled, Normal or Aggressive as the global UDLD status.
– Fiber Port UDLD Default State—This field is only relevant for fiber ports. The UDLD state of copper ports must be set individually in the UDLD Interface Settings page. The possible states are: • Disabled—UDLD is disabled on all ports of the device. • Normal—Device shuts down an interface if the link is • Aggressive—Device shuts down an interface if the link is unidirectional. If the link is undetermined, a notification is issued. unidirectional or undetermined.
The following is an example of the CLI commands: console(config)# udld normal console(config)# udld message time 40 console(config)# exit console(config)# show udld Global UDLD mode: normal Message Time: 15 sec(default) Interface te0/1 Port UDLD mode: aggressive Port Current state: Bidirectional Number of detected neighbors: 1 Port Neighbor Table Neighbor Device ID: 1234567893 Neighbor MAC: 00:00:01:22:33:dd Neighbor Device name: switch A Neighbor Port ID: te0/1 Neighbor Message Time: 20 sec Neighbor Curren
UDLD Interface Settings Use the UDLD Interface Settings page to change the UDLD state for a specific port. Here the state can be set for copper or fiber ports. To copy a particular set of values to more than one port, set that value for one port and use the Copy button to copy it to the other ports. To configure UDLD for an interface: 1 Click Switching > UDLD > UDLD Interface Settings.
• – Shutdown—The port has been shut down because its link with the connected device is unidirectional or undetermined in aggressive mode. Number of Neighbors—Number of connected devices detected. 2 To modify the UDLD state for a specific port, select the Edit tab and select the port. 3 Modify the value of the UDLD state. If you select Default, the port receives the value of the Fiber Port UDLD Default State in the Global UDLD Settings page.
– • Device MAC—MAC address of the remote device. • Device Name—Name of the remote device. • Port ID—Name of the remote port. State—State of the link between the local and neighboring device on the local port. The following values are possible: • Detection—The latest UDLD state of the port is in the process of being determined. Expiration time has not yet expired since the last determination (if there was one), or since UDLD began running on the port, so that the state is not yet determined.
The following is an example of the CLI commands: console# show udld Global UDLD mode: normal Message Time: 15 sec(default) Interface te0/1 Port UDLD mode: aggressive Port Current state: Bidirectional Number of detected neighbors: 1 Port Neighbor Table Neighbor Device ID: 1234567893 Neighbor MAC: 00:00:01:22:33:dd Neighbor Device name: switch A Neighbor Port ID: te0/2 Neighbor Message Time: 20 sec Neighbor Current State: Bidirectional Neighbor Expiration Time: 7 sec Interface te0/2 Port UDLD mode: normal (de
Dynamic ARP Inspection 19 This section describes dynamic ARP inspection. It contains the following topics: • Overview • Global Settings • Dynamic ARP Inspection List • Dynamic ARP Inspection Entries • VLAN Settings • Trusted Interfaces Overview ARP Inspection eliminates man-in-the-middle attacks, where false ARP packets are inserted into the subnet.
The following additional validation checks may be configured by the user: • Source MAC — Compares the packet’s source MAC address in the Ethernet header against the sender’s MAC address in the ARP request. This check is performed on both ARP requests and responses. • Destination MAC — Compares the packet’s destination MAC address in the Ethernet header against the destination interface’s MAC address. This check is performed for ARP responses.
Table 19-1. ARP Inspection Global Settings CLI Commands (continued) CLI Command Description ip arp inspection validate Performs specific checks for dynamic ARP inspection. no ip arp inspection validate ip arp inspection logging interval {seconds | infinite} Use the no form of this command to restore the default configuration. Sets the minimum time interval between successive ARP SYSLOG messages. Use the no form of this command to no ip arp inspection logging restore the default configuration.
Creating a Dynamic ARP Inspection List Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the Dynamic ARP Inspection List pages. Table 19-2. Dynamic ARP Inspection List CLI Commands CLI Command Description ip arp inspection list create name Creates a static ARP binding list and enters the ARP list configuration mode. no ip arp inspection list create name Use the no form of this command to delete the list.
Adding Entries to a Dynamic ARP Inspection List Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the Dynamic ARP Inspection Entries pages. Table 19-3. Dynamic ARP Inspection List Entries CLI Commands CLI Command Description ip ip-address mac macaddress Creates a static ARP binding. no ip ip-address mac macaddress show ip arp inspection list Use the no form of this command to delete a static ARP binding.. Displays the static ARP binding list.
VLAN Settings To assign a list of IP/MAC address pairs, defined in the Dynamic ARP Inspection List pages, to a VLAN: 1 Click Switching > Dynamic ARP Inspection > VLAN Settings in the tree view to display the VLAN Settings: Summary page. The VLANs and their associated lists of IP/MAC address pairs are displayed. 2 To designate a VLAN to be associated with an ARP inspection list, click Add VLAN and enter the VLAN ID. 3 Click Assign and select the List Name to be associated with the VLAN.
Trusted Interfaces Interfaces are untrusted if the packet is received from an interface outside the network or from an interface beyond the network firewall. Trusted interfaces receive packets only from within the network or the network firewall. To configure an interface to be trusted: 1 Click Switching Dynamic ARP Inspection Trusted Interfaces in the tree view to display the Trusted Interfaces: Summary page. The ports and their trusted status are displayed.
Dynamic ARP Inspection
DHCP 20 This section describes DHCP snooping. It contains the following topics: • DHCP Snooping • DHCP Relay DHCP Snooping This section describes DHCP Snooping.
Overview DHCP snooping expands network security by providing layer security between untrusted interfaces and DHCP servers. By enabling DHCP snooping, network administrators can differentiate between trusted interfaces connected to end-users or DHCP Servers, and untrusted interfaces located beyond the network firewall. DHCP snooping filters untrusted messages, and stores these messages in a database.
Table 20-1. DHCP Packet Handling when DHCP Snooping is Enabled (continued) Packet Type Arriving from Untrusted Ingress Interface Arriving from Trusted Ingress Interface DHCPDECLINE Check if there is Forward to trusted information in the interfaces only database. If the information exists and does not match the interface on which the message was received, the packet is filtered. Otherwise the packet is forwarded to trusted interfaces only, and the entry is removed from database.
Global Parameters Use the Global Parameters page to: • Enable/disable DHCP snooping globally. • Determine whether to forward or filter DHCP packets received from untrusted interfaces, whose source MAC address and the DHCP client MAC address do not match. • Determine whether to forward or filter DHCP packets, received from untrusted interfaces, with option-82 information. • Set Binding database update interval.
Configuring DHCP Snooping Global Parameters Using CLI Commands The following table summarizes the CLI commands for configuring DHCP snooping global parameters. Table 20-2. DHCP Snooping Global Parameters CLI Commands CLI Command Description ip dhcp snooping Globally enables DHCP snooping. no ip dhcp snooping Use the no form of this command to return to the default setting. Allows a device to accept DHCP packets with option-82 information no ip dhcp snooping information from an untrusted port.
The following is an example of some of the CLI commands: console(config)# ip dhcp snooping console(config)# ip dhcp snooping information option allowed-untrusted console(config)# ip dhcp snooping verify console(config)# ip dhcp snooping database console(config)# ip dhcp snooping database frequency 1200 console# show ip dhcp snooping DHCP snooping is enabled DHCP snooping database: enabled Option 82 on untrusted port is allowed Verification of hwaddr field is enabled DHCP snooping file update frequency is co
2 Click Add to move the VLANs, for which you want to enable DHCP snooping, from the VLAN ID list to the Enabled VLANs list. To remove a VLAN, click Remove to move it from the Enabled VLANs list to the VLAN ID list. Configuring DHCP Snooping on VLANs Using CLI Commands The following table summarizes the CLI commands for configuring DHCP snooping on VLANs . Table 20-3. DHCP Snooping on VLANs CLI Commands CLI Command Description ip dhcp snooping vlan vlan-id Enables DHCP snooping on a VLAN.
Configuring DHCP Snooping Trusted Interfaces Using CLI Commands The following table summarizes the CLI commands for configuring DHCP snooping trusted interfaces. Table 20-4. DHCP Snooping Trusted Interfaces CLI Commands CLI Command Description ip dhcp snooping trust Configures an interface as trusted for DHCP snooping purposes. no ip dhcp snooping Use the no form of this command to return to the default setting.
– Type — Select the entry type. The possible options are: • Static —IP address was statically configured. • Dynamic —IP address was dynamically configured. – MAC Address — Enter the MAC address to be recorded in the entry. – VLAN ID — Select the VLAN ID to which the IP address is associated in the entry. – IP Address — Enter the IP address to be recorded in the entry. – Interface — Select the type and port or LAG to be recorded in the entry.
Table 20-5. DHCP Snooping Binding Database CLI Commands (continued) CLI Command Description clear ip dhcp snooping database Clears the DHCP binding database. show ip dhcp snooping binding [mac-address mac-address] [ipaddress ip-address] [vlan vlanid][interface-id]] Displays the DHCP snooping binding database and configuration information for all interfaces or some interfaces on a switch.
Overview The device can act as a DHCP Relay agent that listens for DHCP messages, and relays them between DHCP servers and clients, which reside in different VLANs or IP subnets. This functionality is intended to be used when the client ingress VLAN is different than the VLAN on which DHCP servers are connected. The switch can relay DHCP messages received from its IPv4 interfaces to one or more configured DHCP servers. It uses the switch’s IPv4 address of the interface where the message is received.
To enable Option 82 insertion: 1 Click Switching > DHCP Relay > Option 82 in the tree view to display the Option 82 page. 2 Enable/disable Option 82 insertion. Configuring Option 82 Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the Option 82 page. Table 20-6. CLI Option 82 Commands CLI Command Description ip dhcp information option Enables DHCP option-82 data insertion.
Table 20-7. Global Parameters CLI Commands CLI Command Description ip dhcp relay enable Enables DHCP relay features on the device. no ip dhcp relay enable Use the no form of this command to disable the DHCP relay agent. ip dhcp relay address ipaddress Defines the DHCP servers available for the DHCP relay. no ip dhcp relay address [ip- Use the no form of this command to address] remove servers from the list. show ip dhcp relay Displays the server addresses on the DHCP relay.
To enable DHCP relay on a port, LAG, or VLAN: 1 Click Switching > DHCP Relay > Interface Settings in the tree view to display the Interface Settings: Summary page. The currently-define DHCP interfaces are displayed. 2 To enable DHCP relay on an interface, click Add. 3 Select the interface. Defining Interface Settings Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the Interface Settings pages.
The following is an example of the CLI commands that enable DHCP Relay on VLAN 2, assign it an IP address and show the DHCP Relay status: console(config)# interface vlan 2 console(config-if)# ip dhcp relay enable console(config)# ip dhcp relay address 176.16.1.1 console> show ip dhcp relay DHCP relay is Enabled Option 82 is Disabled Maximum number of supported VLANs without IP Address is 0 DHCP relay is not configured on any port. DHCP relay is not configured on any vlan.
DHCP
Statistics/RMON 21 This section describes many of the statistics available on the device. The only exception is the QoS statistics described in QoS Statistics. It contains the following topics: • Table Views • RMON • Charts Table Views This section displays statistics in table form.
2 To clear the counters, select either a port or LAG. The counters on all ports/LAGs are cleared. 3 Mark the counters to be cleared and click Clear Counters. 4 To clear all counters, click Clear All Counters. Viewing Denied ACE Counters Statistics Using the CLI Commands The following table contains the CLI commands for viewing denied ACE counters statistics. Table 21-1. Denied ACE Counters CLI Commands CLI Command Description show interfaces access-lists Displays Access List counters.
The following fields are displayed: – Port/LAG — The port/LAG number. – Interface Status — The status of the interface: Up, Down or Not Present when no port is attached to the LAG. – % Interface Utilization — Network interface utilization percentage, based on the duplex mode of the interface. The range of this reading is from 0 to 200%.
– Transmitted Unicast Packets — Number of transmitted Unicast packets from the interface. – Received Non Unicast Packets — Number of received non-Unicast packets on the interface. – Transmitted Non Unicast Packets — Number of transmitted nonUnicast packets from the interface. – Received Errors — Number of received packets with errors on the interface. 3 Select one of the Refresh Rate options to specify how frequently the counters should be refreshed.
– Total Bytes (Octets) — Number of octets transmitted from the selected interface. – Unicast Packets — Number of Unicast packets transmitted from the selected interface. – Multicast Packets — Number of Multicast packets transmitted from the selected interface. – Broadcast Packets — Number of Broadcast packets transmitted from the selected interface. 4 Click Reset All Counters to clear these counters.
3 Select one of the Refresh Rate options to clears the statistics for the selected interface. Viewing Interface Statistics Using the CLI Commands The following table contains the CLI commands for viewing utilization, counters and interface statistics. Table 21-2. Interface Statistics CLI Commands CLI Command Description show interfaces counters [interface-id|detailed] Displays traffic seen by the physical interface.
The following is an example of the CLI command for a single port: console# show interfaces counters gi0/1 Port InUcastPkts InMcastPkts InBcastPkts InOctets -------- ------------- ------------ ------------ -----------gi0/1 0 Port 0 0 0 OutUcastPkts OutMcastPkts OutBcastPkts OutOctets -------- ----------- ------------ ------------ -----------gi0/1 0 0 0 0 Alignment Errors: 0 FCS Errors: 0 Single Collision Frames: 0 Multiple Collision Frames: 0 SQE Test Errors: 0 Deferred Transmissions: 0 Lat
– Leave All — The number of GVRP Leave All packets. GVRP Error Statistics – Invalid Protocol ID — The number of GVRP Invalid Protocol ID errors. – Invalid Attribute Type — The number of GVRP Invalid Attribute ID errors. – Invalid Attribute Value — The number of GVRP Invalid Attribute Value errors. – Invalid Attribute Length — The number of GVRP Invalid Attribute Length errors. – Invalid Event — The number of GVRP Invalid Events errors.
The following is an example of the CLI commands: console# show gvrp statistics GVRP Statistics: ---------------Legend: rJE : Join Empty Received rJIn: Join In Received rEmp : Empty Received rLIn: Leave In Received rLE : Leave Empty Received rLA : Leave All Received sJE : Join Empty Sent sJIn: Join In Sent sEmp : Empty Sent sLE Port sLIn: Leave In Sent : Leave Empty Sent rJE sLIn sLE sLA --- ---- --- gi0/1 0 0 1 2 rEmp 1 rLIn sLA : Leave All Sent ----- ----- ----- ----- ----- ----
– Request ID Frames Transmit — The number of EAP Req/ID frames transmitted via the port. – Request Frames Transmit — The number of EAP Request frames transmitted via the port. – Invalid Frames Receive — The number of unrecognized EAPOL frames received on this port. – Length Error Frames Receive — The number of EAPOL frames with an invalid Packet Body Length received on this port. – Last Frame Version — The protocol version number attached to the most recently received EAPOL frame.
The following is an example of the CLI commands: console# show dot1x statistics interface gi0/1 EapolFramesRx: 11 EapolFramesTx: 12 EapolStartFramesRx: 1 EapolLogoffFramesRx: 1 EapolRespIdFramesRx: 3 EapolRespFramesRx: 6 EapolReqIdFramesTx: 3 EapolReqFramesTx: 6 InvalidEapolFramesRx: 0 EapLengthErrorFramesRx: 0 LastEapolFrameVersion: 1 LastEapolFrameSource: 0008.3b79.
Statistics To display device utilization statistics and errors that occurred on the device: 1 Click Statistics/RMON > RMON > Statistics in the tree view to display the Statistics page. 2 Select a port/LAG. The following fields are displayed: 456 – Received Bytes (Octets) — Number of bytes received on the selected interface. – Received Packets — Number of packets received on the selected interface.
– Jabbers — Number of packets received, longer than 1518 octets (excluding framing bits, but including FCS octets), and having either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error), or a bad FCS with a non-integral number of octets (Alignment Error). – Collisions — Number of collisions received on the interface, since the device was last refreshed. – Frames of 64 Bytes — Number of 64-byte frames received on the interface, since the device was last refreshed.
The following is an example of the CLI commands: console# show rmon statistics gi0/1 Port te1/0/1 Dropped: 0 Octets: 0 Packets: 0 Broadcast: 0 Multicast: 0 CRC Align Errors: 0 Collisions: 0 Undersize Pkts: 0 Oversize Pkts: 0 Fragments: 0 Jabbers: 0 64 Octets: 0 65 to 127 Octets: 1 128 to 255 Octets: 1 256 to 511 Octets: 1 512 to 1023 Octets: 0 1024 to max Octets: 0 History Control To display the requested RMON history group statistics or request a new sample of interface statistics: 1 Click Statistics/RMON
Configuring RMON History Control Using the CLI Commands The following table contains the CLI commands for configuring RMON history control. Table 21-6. RMON History Control CLI Commands CLI Command Description rmon collection stats index [owner ownername][buckets bucket-number][interval seconds] Enables and configures RMON on an interface. Use the no form of this command to remove a specified RMON history no rmon collection stats index group of statistics.
– Drop Events — Number of dropped packets due to lack of network resources during the sampling interval. This may not represent the exact number of dropped packets, but rather the number of times dropped packets were detected. – Received Bytes (Octets) — Number of data octets, including bad packets, received on the network. – Received Packets — Number of packets received during the sampling interval. – Broadcast Packets — Number of good Broadcast packets received during the sampling interval.
Viewing the RMON History Table Using the CLI Commands The following table contains the CLI commands for viewing the RMON history table. Table 21-7. RMON History Table CLI Commands CLI Command Description show rmon history index Displays RMON Ethernet statistics history.
Events Control Events are actions that are performed when an alarm is generated (alarms are defined in the Alarms page). An event can be any combination of logs/traps. If the action includes logging, then the events are logged in the Events Log page. To define an RMON event: 1 Click Statistics/RMON > RMON > Events Control in the tree view to display the Events Control: Summary page. The currently-defined events are displayed.
Defining RMON Events Using the CLI Commands The following table contains the CLI commands for defining RMON events. Table 21-8. RMON Event Definition CLI Commands CLI Command Description rmon event index {none|log|trap|log-trap} [community text] [description text] [owner name] Configures an event. Use the no form of this command to remove an event. no rmon event index Displays RMON event table.
Events Log The Events log displays the log of events that occurred. An event is logged when the type of the event is Log or Log and Trap. The action in the event is performed when the event is bound to an alarm (see the Alarms page) and the conditions of the alarm have occurred. To display the events log: • Click Statistics/RMON > RMON > Events Log in the tree view to display the Events Control page. The following fields are displayed: – Event — The event identifier. – Log No. — The log number.
Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on a counter or any other SNMP object counter maintained by the agent. Both the rising and falling thresholds must be configured in the alarm. After a rising threshold is crossed, another rising event is not generated until the companion falling threshold is crossed. After a falling alarm is issued, the next alarm is issued when a rising threshold is crossed.
– Startup Alarm — Select the trigger that activates the alarm. The possible options are: • Rising Alarm — A rising counter value triggers the alarm • Falling Alarm — A falling counter value triggers the alarm. • Rising and Falling — Both rising and falling counter values trigger the alarm. – Interval (1–2147483647) — Enter the alarm interval time in seconds. This is the interval in seconds over which the data is sampled and compared with the rising and falling thresholds.
Guide\Plasma_UGStatistics.fm The following is an example of the CLI commands: console(config)# rmon alarm 1000 1.3.6.1.2.1.2.2.1.10.1 360000 1000000 1000000 10 20 console# show rmon alarm-table Index ----123 OID ---------------------1.3.6.1.2.1.2.2.1.10.1 1.3.6.1.2.1.2.2.1.10.1 1.3.6.1.2.1.2.2.1.10.9 Owner ------CLI Manager CLI Charts This section describes how to display statistics as charts.
Ports To display port statistics in chart format: 1 Click Statistics/RMON > Charts > Ports in the tree view to display the Ports page. 2 Check the type of statistics to be displayed: – Interface Statistics — Select the interface statistics to display. – Etherlike Statistics — Select the frame error statistics to display. – RMON Statistics — Select the RMON statistics to display. – GVRP Statistics — Select the GVRP statistics type to display.
Viewing LAG Statistics Using the CLI Commands The following table contains the CLI commands for viewing LAG statistics. Table 21-11. LAG Statistic CLI Commands CLI Command Description show interfaces counters [LAG- Displays traffic seen by the physical number |detailed] interface. show rmon statistics {interface-id} Displays RMON Ethernet statistics. show gvrp statistics [interface-id] Displays GVRP statistics. show gvrp-error statistics [interface-id] Displays GVRP error statistics.
CPU Utilization Use the CPU Utilization page to display the system’s CPU utilization and percentage of CPU resources consumed by the device. To display CPU utilization in chart format: 1 Click Statistics/RMON > Charts > CPU Utilization in the tree view to display the CPU Utilization page. 2 Select the Refresh Rate to specify how frequently the statistics should be refreshed. The CPU utilization chart is displayed.
Quality of Service 22 This section provides information for configuring Quality of Service (QoS). It contains the following topics: • Overview • General • QoS Basic Mode • QoS Advanced Mode • QoS Statistics Overview The QoS feature is used to optimize network performance.
QoS Modes A single QoS mode is selected and applies to all interfaces in the system. The modes are: • Basic Mode — Class of Service (CoS). – Traffic is divided into classes that determine how it is treated. All traffic in a class is treated with the same QoS action. The QoS action for the class of traffic determines the egress queue on the egress port, based on the indicated QoS value in the incoming frame. The QoS value in the incoming frame is: • Layer 2 Packets — VLAN Priority Tag (VPT) 802.
Only a single mode can be active at a time. When the system is configured to work in QoS Advanced mode, settings for QoS Basic mode are not active and vice versa. When the QoS mode is changed, the following occurs: • When changing from Advanced mode to any other mode, policy profile definitions and class maps are deleted. ACLs, which are bonded directly to interfaces, remain bonded. • When changing from Basic mode to Advanced mode, the QoS Trust mode configuration in Basic mode is not retained.
Setting QoS Mode Using CLI Commands The following table summarizes the CLI commands for setting the QoS mode. Table 22-1. QoS Mode CLI Commands CLI Command Description qos [basic|advanced] Enables QoS on the device. no qos Use the no form of this command to disable QoS on the device show qos Displays the QoS mode.
The following is an example of the CLI command: console(config)# interface gi0/8 console(config-if)# qos cos 3 Queue The switch supports four queues for the R1-2401 device and eight queues for the R1-2210 device for each interface. Queue number four and eight is the highest priority queue for the R1-2401 and R1-2210 devices, respectively. Queue number one is the lowest priority queue.
• In the above case, traffic for the strict priority queues is always sent before traffic from the WRR queues. Traffic from the WRR queues is forwarded only after the strict priority queues have been emptied. The relative portion from each WRR queue depends on its weight. To select the priority method and enter WRR weights: 1 Click Quality of Service > General > Queue in the tree view to display the Queue page. The queues are displayed.
The following is an example of the CLI commands: console(config)# priority-queue out num-of-queues 2 console(config-if)# wrr-queue bandwidth 6 6 6 6 6 6 CoS to Queue The CoS to Queue page maps CoS priorities to an egress queue, meaning that the egress queues of the incoming packets is based on the CoS priority in their VLAN Tags. For incoming, untagged packets, the CoS priority is the default CoS priority assigned to ingress ports.
Mapping CoS Priorities to Queues Using CLI Commands The following table summarizes the CLI commands for configuring fields in the CoS to Queue page. Table 22-4. CoS to Queue CLI Commands CLI Command Description wrr-queue cos-map queue-id cos0 ... cos7 Maps CoS values to the egress queues. no wrr-queue cos-map [queueid] Use the no form of this command to restore the default configuration.
2 Enter the fields: – DSCP In — The values of the DSCP field in the incoming packet. – Queue — The queue to which packets with the specific DSCP value is assigned. The values are 1-4 for the R1-2401 device and 1-8 for the R1-2210 device, where 1 is the lowest value, and 4 and 8 are the highest values. Mapping DSCP Values to Queues Using CLI Commands The following table summarizes the CLI commands for configuring fields in the DSCP to Queue page. Table 22-5.
To configure bandwidth limitation: 1 Click Quality of Service > General > Bandwidth in the tree view to display the Bandwidth: Summary page. The ingress and egress rates are displayed for all ports. 2 To set interface parameters, click Edit. 3 Select an interface, and enter the fields: – Enable Ingress Rate Limit — Enable/disable ingress traffic limit for the interface. If this field is selected, enter the Ingress Rate Limit. – Ingress Rate Limit — Enter the ingress traffic limit for the interface.
The following is an example of the CLI commands: console(config)# interface gi0/5 console(config-if)# traffic-shape 124000 9600 console(config-if)# rate-limit 150000 TCP Congestion Avoidance Use the TCP Congestion Avoidance page to activate a congestion avoidance algorithm. The algorithm breaks up or prevents TCP global synchronization in a congested node, where the congestion is due to various sources sending packets with the same byte count.
QoS Basic Mode This section describes QoS Basic mode. It contains the following topics: • Overview • Global Settings • DSCP Rewrite • Interface Settings Overview In QoS Basic mode, a specific domain in the network can be defined as trusted. Within that domain, packets are marked with CoS priority and/or DSCP values, to signal the type of service they require. Nodes within the domain use these fields to assign the packet to a specific output queue.
Global Settings Use the Global Settings page to enable Trust on all interfaces on the switch. This configuration is only active when the QoS mode is Basic. Packets entering a QoS domain are classified at the edge of the QoS domain. For more information on setting Trust mode on an interface, see Interface Settings. To define Trust configuration: 1 Click Quality of Service > QoS Basic Mode > Global Settings in the tree view to display the Global Settings page.
Table 22-8. Global Settings CLI Commands (continued) CLI Command Description qos dscp-mutation Applies the DSCP Mutation map to system DSCP trusted ports. no qos dscp-mutation Use the no form of this command to restore the trusted port with no DSCP mutation.
Assigning DSCP Rewrite Values Using CLI Commands The following table summarizes the CLI commands for configuring fields in the DSCP Rewrite page. Table 22-9. DSCP Rewrite CLI Commands CLI Command Description qos map dscp-mutation indscp to out-dscp Configures the DSCP to DSCP Mutation table. no qos map dscp-mutation [in-dscp] Use the no form of this command to restore the default configuration.
Configuring QoS Basic Mode Using CLI Commands The following is a sample script configuring QoS Basic mode. Table 22-10. Sample CLI Script to Configure QoS Basic Mode CLI Command Description console#configure Enable QoS in Basic mode. console(config)# qos basic console(config)#mac access-list extended MAC1 Define an ACL named "MAC1" console(config-mac-a1)#deny 00:00:00:00:00:11 00:00:00:00:00:ff any MAC1 discards all traffic with source MAC 00:00:00:00:00:XX addresses.
Overview In Advanced mode, the switch uses policies to support per-flow QoS. A policy and its components have the following characteristics and relationships: • A policy contains one or more class maps. • A class map defines a flow with one or more associated ACLs. Packets that match the ACL rules (ACEs) in a class map with Permit (forward) action, belong to the same flow, and are subject to the same quality of service action. A policy can contain one or more flows, each with a user-defined QoS action.
• – Trust —Interface Settings, Policy Class Maps – Set DSCP/CoS — Policy Class Maps – Set Queue — DSCP Mapping Binding — Combination of rules and actions that are bound to one or more interfaces. Workflow to Configure Advanced QoS Mode To configure Advanced QoS mode, perform the following: 1 Select Advanced mode for the system in the QoS Mode page. 2 If external DSCP values are different from those used on incoming packets, map the external values to internal values in the DSCP Rewrite page.
DSCP Mapping When a policer is assigned to a class map (flow), you can specify the action to take when the amount of traffic in the flow(s) exceeds the QoS-specified limits. The portion of the traffic that causes the flow to exceed its QoS limit is referred to as out-of-profile packets. If the exceed action is Remark DSCP (as opposed to Drop), the switch rewrites the original DSCP value of the out-of-profile IP packets to a new value, based on the values entered in the DSCP Mapping page.
The following is an example of the CLI commands: console(config)# qos map policed-dscp 3 to 43 Class Mapping A Class Map defines a traffic flow associated with ACL(s). A MAC-based ACL, IP-based ACL, and an IPv6-based ACL can be combined into a class map. Class maps are configured to match packet criteria on a match-all or match-any basis. They are matched to packets on a first-fit basis, meaning that the action associated with the first-matched class map is the action performed by the system.
– Match ACL Type — Enter the criteria that a packet must match in order to belong to the flow defined by the class map. The possible options are: • IP — A packet must match either of the IP-based ACLs in the class map. • MAC — A packet must match the MAC-based ACL in the class map. • IP and MAC — A packet must match the IP-based ACL and the MAC-based ACL in the class map (match-all). • IP or MAC — A packet must match either the IP-based ACL or the MAC-based ACL in the class map (match-any).
Table 22-12. Class Mapping CLI Commands (continued) CLI Command Description match access-group acl-name Defines the match criteria for classifying traffic. no match access-group acl-name Use the no form of this command to delete the match criteria. show class-map [class-map-name] Displays information about the class map.
• Aggregate Policer — An aggregate policer applies QoS to one or more class maps, and to one or more flows. An aggregation policer can support class maps from various policies. An aggregate policer applies QoS to all its flow(s) in aggregation, regardless of policies and ports. An aggregate policer is created in the Aggregate Policer pages. An aggregate policer is defined if the policer is to be shared with more than one class.
– Exceed Action — Select the action to be performed on incoming packets that exceed the CIR. The possible options are: • None — No action is performed on packets exceeding the defined CIR value. • Drop — Packets exceeding the defined CIR value are dropped. • Remark DSCP — The DSCP values of packets exceeding the defined CIR value are rewritten to a value entered in the DSCP Mapping pages.
• One or more aggregate policers that apply the QoS to the traffic flows in the policy. Only those policies that are bound to an interface are active (see the Policy Binding pages). After a policy has been added, class maps can be added in the Policy Table pages. To create a QoS policy: 1 Click Quality of Service > QoS Advanced Mode > Policy Table to display the Policy Table: Summary page. The previously-defined policies are displayed. 2 To create a policy, click Add.
To add a class map to a policy: 1 Click Quality of Service > QoS Advanced Mode > Policy Class Maps to display the Policy Class Maps: Summary page. 2 Select a policy in the Policy Name field. The class maps in that policy are displayed. 3 To add a class map, click Add. 4 Enter the parameters. – Policy Name — Select the policy to which the class map is being added. – Class Map Name — Select an existing class map to be associated with the policy. Class maps are created in the Class Mapping pages.
– – Police Type (Only in L2 and R1-2210)— Available in Layer 2 Mode only. Select the policer type for the policy. The possible options are: • None — No policy is used. • Single — The policer for the policy is a single policer. • Aggregate — The policer for the policy is an aggregate policer. Aggregate Policer (Only in L2 and R1-2210) — Available in Layer 2 Mode only. If Police Type is Aggregate, select a previously-defined aggregate policer.
Defining Policy Class Maps Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Policy Class Maps pages. Table 22-15. Policy Class Maps CLI Commands CLI Command Description class class-map-name [accessgroup acl-name] Defines a traffic classification and enters the Policy-map Class Configuration mode. no class class-map-name Use the no form of this command to detach a class map from the policy map.
The following is an example of the CLI commands: console(config)# policy-map policy1 console(config-pmap)# class class1 access-group enterprise console(config-pmap)# trust cos-dscp console(config-pmap)# set dscp 56 console(config-pmap)# class class1 console(config-pmap-c)# police 124000 9600 exceedaction drop console(config)# qos aggregate-policer policer1 124000 9600 exceed-action drop Policy Binding After policies are created, they must be bound to interfaces (ports or LAGs).
Defining Policy Binding Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Policy Binding pages. Table 22-16. Policy Binding CLI Commands CLI Command Description service-policy input policy-map-name Applies a policy map to the input of a particular interface. no service-policy input Use the no form of this command to detach a policy map from an interface.
– Policy — Statistics are displayed for this policy. – Class Map — Statistics are displayed for this class map. – In-Profile Bytes — Number of in-profile bytes received. – Out-of-Profile Bytes — Number of out-of-profile bytes received. 2 Click Add to add a new counter that applies to another policy-class map. 3 Enter the fields: – Interface — Select the interface for which the counter is defined. – Policy - Class Map Name — Select a policy class map pair.
– In-Profile Bytes — Number of in-profile packets that were received. – Out-of-Profile Bytes — Number of out-of-profile packets that were received. 2 To add a new counter that applies to another aggregate policer, click Add. 3 Select an aggregate policer in the Aggregate Policer Name field. Defining Aggregate Policer Statistics Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Aggregate Policer Statistics pages. Table 22-18.
– Queue —Number of queue. – Total Packets —Number of packets forwarded or tail dropped. – Tail Drop Packets —Percentage of packets that were tail dropped. 2 To add a new counter, click Add, and enter the fields: – Counter Set—Select the counter set. The possible options are: • Set 1 — Displays the statistics that contains all interfaces and queues with a high DP (Drop Precedence). • Set 2 — Displays the statistics that contains all interfaces and queues with a low DP.
Quality of Service
23 Getting Help Contacting Dell NOTE: Dell provides several online and telephone-based support and service options. If you do not have an active Internet connection, you can find contact information on your purchase invoice, packing slip, bill, or Dell product catalog. Availability varies by country and product, and some services may not be available in your area. To contact Dell for sales, technical support, or customer-service issues: 1 Go to dell.com/support.
Downloading Drivers, Firmware, and Software 1 Go to dell.com/support. 2 Enter your system service tag in the Enter your Service Tag field. 3 Click Submit. The support page that lists the various support categories is displayed. 4 From the left pane, select Get drivers and downloads. 5 Select your filters. 6 View by Category, Importance, or Release Date. Related Documentation WARNING: See the safety and regulatory information that shipped with your system.
Documentation Feedback If you have feedback for this document, write to documentation_feedback@dell.com. Alternatively, you can click on the Feedback link in any of the Dell documentation pages, fill out the form, and click Submit to send your feedback.
Update with your book title
Glossary This glossary contains key technical words of interest. A B C D E F G H I L M N O P Q R S T U V W A Access Mode Specifies the method by which user access is granted to the system. Access Profiles Allows network managers to define profiles and rules for accessing the switch module. Access to management functions can be limited to user groups, which are defined by the following criteria: • Ingress interfaces • Source IP address or Source IP subnets ACL Access Control List.
ASIC Application Specific Integrated Circuit. A custom chip designed for a specific application. Asset Tag Specifies the user-defined switch module reference. Authentication Profiles Sets of rules which that enables login to and authentication of users and applications.
Bandwidth Bandwidth specifies the amount of data that can be transmitted in a fixed amount of time. For digital switch modules, bandwidth is defined in Bits per Second (bps) or Bytes per Second. Bandwidth Assignments The amount of bandwidth assigned to a specific application, user, or interface. Baud The number of signaling elements transmitted each second. Best Effort Traffic is assigned to the lowest priority queue, and packet delivery is not guaranteed. Boot Version The boot version.
Broadcast Domain device sets that receive Broadcast frames originating from any device within a designated set. Routers bind Broadcast domains, because routers do not forward Broadcast frames. Broadcasting A method of transmitting packets to all ports on a network. Broadcast Storm An excessive amount of Broadcast messages simultaneously transmitted across a network by a single port. Forwarded message responses are heaped onto the network, overloading network resources or causing the network to time out.
CPU Central Processing Unit. The part of a computer that processes information. CPUs are composed of a control unit and an ALU. D DHCP Client A device using DHCP to obtain configuration parameters, such as a network address. DHCP Snooping DHCP Snooping expands network security by providing firewall security between untrusted interfaces and DHCP servers. DSCP DiffServe Code Point (DSCP). DSCP provides a method of tagging IP packets with QoS priority information.
Allows automatic assignment of users to VLANs during the RADIUS server authentication. When a user is authenticated by the RADIUS server, the user is automatically joined to the VLAN configured on the RADIUS server. E Egress Ports Ports from which network traffic is transmitted. End System An end user device on a network. Ethernet Ethernet is standardized as per IEEE 802.3. Ethernet is the most common implemented LAN standard. Supports data transfer rates of Mpbs, where 10, 100 or 1000 Mbps is supported.
Flapping occurs when an interfaces state is constantly changing. For example, an STP port constantly changes from listening to learning to forwarding. This may cause traffic loss. Flow Control Enables lower speed devices to communicate with higher speed devices, that is, that the higher speed device refrains from sending packets. Fragment Ethernet packets smaller than 576 bits. Frame Packets containing the header and trailer information required by the physical medium.
A computer that acts as a source of information or services to other computers. HTTP HyperText Transport Protocol. Transmits HTML documents between servers and clients on the internet. I IC Integrated Circuit. Integrated Circuits are small electronic devices composed from semiconductor material. ICMP Internet Control Message Protocol. Allows gateway or destination host to communicate with a source host, for example, to report a processing error. IEEE Institute of Electrical and Electronics Engineers.
IGMP Snooping IGMP Snooping examines IGMP frame contents, when they are forwarded by the device from work stations to an upstream Multicast router. From the frame, the device identifies work stations configured for Multicast sessions, and which Multicast routers are sending Multicast frames. Image File System images are saved in two Flash sectors called images (Image 1 and Image 2). The active image stores the active copy; while the other image stores a second copy.
L LAG Link Aggregated Group. Aggregates ports or VLANs into a single virtual port or VLAN. For more information on LAGs, see Defining LAG Membership. LAN Local Area Networks. A network contained within a single room, building, campus or other limited geographical area. Layer 2 Data Link Layer or MAC Layer. Contains the physical address of a client or server station. Layer 2 processing is faster than Layer 3 processing because there is less information to process.
M MAC Address Media Access Control Address. The MAC Address is a hardware specific address that identifies each network node. MAC Address Learning MAC Address Learning characterizes a learning bridge, in which the packet’s source MAC address is recorded. Packets destined for that address are forwarded only to the bridge interface on which that address is located. Packets addressed to unknown addresses are forwarded to every bridge interface. MAC Address Learning minimizes traffic on the attached LANs.
MIB Management Information Base. MIBs contain information describing specific aspects of network components. Multicast Transmits copies of a single packet to multiple ports. Multicast TV VLAN Multicast Television Vlan or TV VLAN, is used for television applications with a PC or with televisions equipped with a "Set-Top Box" device. N NA Neighbor Advertisement. ND Neighbor Discovery. NS Neighbor Solicitation. NMS Network Management System. An interface that provides a method of managing a system.
O OID Organizationally Unique Identifiers. Identifiers associated with a Voice VLAN. OUI Object Identifier. Used by SNMP to identify managed objects. In the SNMP Manager/Agent network management paradigm, each managed object must have an OID to identify it. P Packets Blocks of information for transmission in packet switched systems. PDU Protocol Data Unit. A data unit specified in a layer protocol consisting of protocol control information and layer user data. PING Packet Internet Groper.
PVE Protocol VLAN Edge. A port can be defined as a Private VLAN Edge (PVE) port of an uplink port, so that it will be isolated from other ports within the same VLAN. Q QoS Quality of Service. QoS allows network managers to decide how and what network traffic is forwarded according to priorities, application types, and source and destination addresses. Query Extracts information from a database and presents the information for use. R RA RADIUS Advertisement. RD RADIUS Discovery. RS Router Solicitation.
Router A device that connects to separate networks. Routers forward packets between two or more networks. Routers operate at a Layer 3 level. RSTP Rapid Spanning Tree Protocol. Detects and uses network topologies that allow a faster convergence of the spanning tree, without creating forwarding loops. Running Configuration File Contains all startup configuration file commands, as well as all commands entered during the current session.
SoC System on a Chip. An ASIC that contains an entire system. For example, a telecom SoC application can contain a microprocessor, digital signal processor, RAM, and ROM. Spanning Tree Protocol Prevents loops in network traffic. The Spanning Tree Protocol (STP) provides tree topography for any arrangement of bridges. STP provides one path between end stations on a network, eliminating loops. SSH Secure Shell.
T TCP/IP Transmissions Control Protocol. Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees packets are transmitted and received in the order their sent. Telnet Terminal Emulation Protocol. Enables system users to log in and use resources on remote networks. TFTP Trivial File Transfer Protocol. Uses User Data Protocol (UDP) without security features to transfer files. Trap A message sent by the SNMP that indicates that system event has occurred.
V VLAN Virtual Local Area Networks. Logical subgroups with a Local Area Network (LAN) created via software rather than defining a hardware solution. VoIP Voice over IP. W WAN Wide Area Networks. Networks that cover a large geographical area. Wildcard Mask Specifies which IP address bits are used, and which bits are ignored. A wild switch module mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important.
Printed in the U.S.A. d el l .