Powered by Accton ES3526XA L2/4 Fast Ethernet Switch Management Guide www.edge-core.
Management Guide L2/4 Fast Ethernet Switch Layer 2 Standalone Switch with 24 10/100BASE-TX (RJ-45) Ports, and 2 Combination Gigabit (RJ-45/SFP) Ports
ES3526XA E122008-MW-R03 149100034800A
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-6 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Saving Con
Contents Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging Displaying Log Messages System Log Configuration Remote Log Configuration Simple Mail Transfer Protocol Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Setting the Time Manually Simple Network Management Protocol Setting Community Access Strings Specifying Trap Managers and Trap Types Enabling SNMP Agent Stat
Contents Configuring Port Security Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Contents Displaying Interface Settings Configuring Interface Settings Configuring Multiple Spanning Trees Displaying Interface Settings for MSTP Configuring Interface Settings for MSTP VLAN Configuration IEEE 802.1Q VLANs Enabling or Disabling GVRP (Global Setting) Displaying Basic VLAN Information Displaying Current VLANs Creating VLANs Adding Static Members to VLANs (VLAN Index) Adding Static Members to VLANs (Port Index) Configuring VLAN Behavior for Interfaces Configuring IEEE 802.
Contents Mapping IP Precedence Priority Mapping IP TOS Priority Mapping CoS Values to ACLs Quality of Service Configuring Quality of Service Parameters Configuring a Class Map Creating QoS Policies Attaching a Policy Map to Ingress Queues VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Port Configuring Telephony OUI Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Enabling IGMP Immediate Leave Displaying Interfaces Attached to
Contents UPnP Configuration Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups Line Commands line login password timeout login response e
Contents System Management Commands Device Designation Commands prompt hostname Banner banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http
Contents logging history logging host logging facility logging trap clear logging show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame Flash/Fi
Contents radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key tacacs-server retransmit tacacs-server timeout show tacacs-server AAA Commands aaa group server server aaa accounting dot1x aaa accounting exec aaa accounting commands aaa accounting update accounting dot1x accounting exec accounting commands aaa authorization exec authorization exec show accounting Port Security Commands port security 802.
Contents mac-authentication reauth-time clear network-access show network-access show network-access mac-address-table Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth show web-auth show web-auth interface web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth summary Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list ip access-group
Contents show snmp group snmp-server user show snmp user Interface Commands interface description speed-duplex negotiation capabilities flowcontrol shutdown broadcast byte-rate switchport broadcast clear counters show interfaces status show interfaces counters show interfaces switchport Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port
Contents lldp notification lldp mednotification lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv mac-phy lldp dot3-tlv max-frame lldp dot3-tlv poe lldp medtlv extpoe lldp medtlv inventory lldp medtlv location lldp medtlv med-cap lldp medtlv network-policy show lldp
Contents spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan swi
Contents Priority Commands (Layer 2) queue mode switchport priority default queue bandwidth queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip dscp map ip port map ip precedence map ip tos map access-list ip map access-list mac show map ip dscp show map ip port show map ip precedence show map ip tos show map access-list Quality of Service Commands class-map match policy-map class set police service-policy show class-map show policy-map show policy-
Contents ip igmp snooping leave-proxy ip igmp snooping immediate-leave show ip igmp snooping show mac-address-table multicast IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IGMP Filtering and Throttling Commands ip igmp filter (Global Configuration) ip igmp profile p
Contents IP Source Guard Commands ip source-guard ip source-guard binding show ip source-guard show ip source-guard binding Switch Cluster Commands cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates UPnP Commands upnp device upnp device ttl upnp device advertise duration show upnp 4-309 4-309 4-311 4-312 4-312 4-313 4-313 4-314 4-314 4-315 4-315 4-316 4-316 4-317 4-317 4-317 4-318 4-318 4-319 Appendix A: Software Specifications Softw
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 3-15 Table 3-16 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Table 4-21 Table 4-22 Table 4-23 Table 4-24 Table 4-25 Key Features System Defaults Configuration Options Main Menu
Tables Table 4-26 Table 4-27 Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-71 xviii Fla
Tables Table 4-72 Table 4-73 Table 4-74 Table 4-75 Table 4-76 Table 4-77 Table 4-78 Table 4-79 Table 4-80 Table 4-81 Table 4-82 Table 4-83 Table 4-84 Table 4-85 Table 4-86 Table 4-87 Table B-1 IP TOS to CoS Queue Quality of Service Commands Voice VLAN Commands Multicast Filtering Commands IGMP Snooping Commands IGMP Query Commands (Layer 2) Static Multicast Routing Commands IGMP Filtering and Throttling Commands Multicast VLAN Registration Commands show mvr - display description show mvr interface - displa
Tables xx
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Home Pag
Figures Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84
Figures Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 Figure 3-116 Figure 3-117 Figure 3-118 Figure 3-119 Figure 3-120 Figure 3-121 Figure 3-122 Figure 3-123 Figure 3-124 Figure 3-125 Figure 3-126 Figure 3-
Figures Figure 3-133 Displaying Multicast Router Port Information Figure 3-134 Static Multicast Router Port Configuration Figure 3-135 IP Multicast Registration Table Figure 3-136 IGMP Member Port Table Figure 3-137 Enabling IGMP Filtering and Throttling Figure 3-138 IGMP Profile Configuration Figure 3-139 IGMP Filter and Throttling Port Configuration Figure 3-140 MVR Global Configuration Figure 3-141 MVR Port Information Figure 3-142 MVR Group IP Information Figure 3-143 MVR Port Configuration Figure 3-144
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features Feature Description Multicast Filtering Supports IGMP snooping and query, as well as Multicast VLAN Registration Switch Clustering Supports up to 36 Member switches in a cluster Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
Description of Software Features 1 Rate Limiting – This feature controls the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port.
1 Introduction seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
Description of Software Features 1 or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN.
1 Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-20). The following table lists some of the basic system defaults.
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Protection Status Enabled (all ports) Broadcast Limit Rate 5k octets per second Spanning Tree Algorithm Status Enabled, RSTP (Defaults: All values based on IEEE 802.
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enabled Multicast VLAN Registration Disabled Status Enabled Messages Logged Levels 0-6 (all) System Log Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled (all ports) Switch Clustering Status E
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
2 Initial Configuration • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.
Basic Configuration 2 The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Managing System Files 2 Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: • Configuration — This file stores system configuration information and is created when configuration settings are saved.
2 2-10 Initial Configuration
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Panel Display 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system. Help Links directly to webhelp. Notes: 1.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description SNMPv3 Engine ID Page 3-39 Sets the SNMP v3 engine ID on this switch 3-39 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-41 Users Configures SNMP v3 users on this switch 3-41 Remote Users Configures SNMP v3 users from a remote device 3-43 Groups Configures SNMP v3 groups 3-44 Views Configures SNMP v3 views 3-46 Security 3-48 User Accounts Assigns a new password for the current user 3-48 Authentication
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Configuration Configures the global configuration settings 3-75 Port Configuration Sets parameters for individual ports 3-76 Statistics Displays protocol statistics for the selected port Web Authentication 3-79 3-80 Configuration Configures Web Authentication settings Port Configuration Enables Web Authentication for individual ports 3-82 Port Information Displays status information for individual ports 3-83
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Rate Limit Input Port Configuration Output Port Configuration Port Statistics Page 3-117 Sets the input rate limit for each port 3-117 Sets the output rate limit for ports 3-117 Lists Ethernet and RMON port statistics 3-118 Address Table 3-122 Static Addresses Displays entries for interface, address or VLAN 3-122 Dynamic Addresses Displays or edits static entries in the Address Table 3-123 Address Aging Sets timeout for dynami
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Specifies default PVID and VLAN attributes 3-153 Trunk Configuration Specifies default trunk VID and VLAN attributes 3-153 Tunnel Port Configuration Adds an interface to a QinQ Tunnel 3-160 Tunnel Trunk Configuration Adds an interface to a QinQ Tunnel 3-160 Private VLAN 3-162 Information Displays Private VLAN feature information 3-162 Configuration This page is used to create/remove primar
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Queue Scheduling Configures Weighted Round Robin queueing 3-184 IP DSCP Priority Status Globally enables DSCP priority 3-186 IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a DSCP tag to a class-of-service queue 3-187 IP Port Priority Status Globally enables IP port priority 3-188 IP Port Priority Sets IP port priority, mapping TCP/UDP ports to class-of-service queues 3-188 IP Precedence Prior
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page IGMP Filter Profile Configuration Configures IGMP Filter Profiles 3-217 IGMP Filter/Throttling Port Configuration Configures IGMP Filtering and Throttling for ports 3-219 IGMP Filter/Throttling Trunk Configuration Configures IGMP Filtering and Throttling for trunks 3-219 MVR 3-221 Configuration Globally enables MVR, sets the MVR VLAN, adds multicast stream addresses 3-222 Port Information Displays MVR interfac
3 Basic Configuration Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location. Contact – Administrator responsible for the system. System Up Time – Length of time the management agent has been up.
3 Configuring the Switch CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-25 Console(config)#snmp-server location WC 9 4-136 Console(config)#snmp-server contact Ted 4-136 Console(config)#exit Console#show system 4-70 System Description: Layer2+ Fast Ethernet Standalone Switch ES3526XA System OID String: 1.3.6.1.4.1.259.8.1.5 System Information System Up Time: 0 days, 0 hours, 57 minutes, and 56.
Basic Configuration 3 Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version Serial Number: Service Tag: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Loader Version: Boot ROM Version: Operation Code Version: 4-71 0012CF422DC0 R0B 0.00 26 Up 1.0.0.2 1.0.0.2 1.0.1.
3 Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Basic Configuration 3 CLI – Enter the following command. Console#show bridge-ext Max Support VLAN Numbers: Max Support VLAN ID: Extended Multicast Filtering Services: Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Global GVRP Status: GMRP: Console# 4-220 256 4094 No Yes IVL Yes No Enabled Disabled Disabled Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network.
3 Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.1 255.255.255.
3 Basic Configuration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Configuring the Switch CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart Console# 4-299 Enabling Jumbo Frames You can enable jumbo frames to support data packets up to 9000 bytes in size. Command Attributes • Jumbo Packet Status – Check the box to enable jumbo frames. Web – Click System, Jumbo Frames. Figure 3-8 Jumbo Frames Configuration CLI – Enter the following command.
Basic Configuration 3 Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. The currently designated startup version of this file cannot be deleted. Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.
3 Configuring the Switch To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names.
Basic Configuration 3 - startup-config to running-config – Copies the startup config to the running config. - startup-config to tftp – Copies the startup configuration to a TFTP server. - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config – Copies a file from a TFTP server to the startup config. • TFTP Server IP Address – The IP address of a TFTP server.
3 Configuring the Switch Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.
Basic Configuration 3 • Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 0-65535 seconds; Default: 600 seconds) • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts.
3 Configuring the Switch Figure 3-14 Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Basic Configuration 3 Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the web or CLI interface. Command Attributes • Telnet Status – Enables or disables Telnet access to the switch.
3 Configuring the Switch Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-15 Enabling Telnet CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Basic Configuration 3 Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e.
3 Configuring the Switch Command Attributes • System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
3 Basic Configuration CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
3 Configuring the Switch Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-18 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
Basic Configuration 3 • Severity – Specifies the degree of urgency that the message carries. • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start. (Level 5) • Warning – Sends notification of a warning condition such as return false, or unexpected return.
3 Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging Console(config)#logging Console(config)#logging bill@this-company.com Console(config)#logging ted@this-company.com Console(config)#logging Console# sendmail host 192.168.1.
Basic Configuration 3 Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also set the clock manually (see “Setting the Time Manually” on page 3-34). If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
3 Configuring the Switch Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Command Attributes • • • • • Current Time – Displays the current time. Name – Assigns a name to the time zone.
3 Simple Network Management Protocol Figure 3-23 Setting the Current Date and Time CLI – This example sets the system clock time and then displays the current time and date. Console#calendar set 17 46 00 october 18 2007 Console#show calendar 17:46:11 October 18 2007 Console# 4-65 4-66 Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
3 Configuring the Switch Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3.
3 Simple Network Management Protocol • Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only), “private” (read/write) Range: 1-32 characters, case sensitive • Access Mode - Read-Only – Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. - Read/Write – Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects.
3 Configuring the Switch • Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (The default is version 1.) • Trap Security Level – Specifies the security level. • Enable Authentication Traps – Issues a trap message whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps – Issues a trap message whenever a port link is established or broken.
Simple Network Management Protocol 3 Web – Click SNMP, Agent Status. Figure 3-26 Enabling SNMP Agent Status Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e.
3 Configuring the Switch Web – Click SNMP, SNMPv3, Engine ID.
3 Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent.
3 Configuring the Switch • Authentication Password – A minimum of eight plain text characters is required. • Privacy – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Actions – Enables the user to be assigned to another SNMPv3 group. Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list.
3 Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
3 Configuring the Switch Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3.
3 Simple Network Management Protocol Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description linkDowna 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus. linkUp 1.3.6.1.6.3.1.1.5.
3 Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete. Figure 3-31 Configuring SNMPv3 Groups Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
Simple Network Management Protocol 3 • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
3 Configuring the Switch User Authentication You can restrict management access to this switch using the following options: • • • • • • • User Accounts – Manually configure access rights on the switch for specified users. Authentication Settings – Use remote authentication to configure access rights. HTTPS Settings – Provide a secure web connection. SSH Settings – Provide a secure shell (for secure Telnet access). Port Security – Configure secure addresses for individual ports. 802.1X – Use IEEE 802.
User Authentication 3 Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-33 Access Levels CLI – Assign a user name to access-level 15 (i.e.
3 Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
User Authentication 3 Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.
3 Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.
User Authentication 3 CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server auth-port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
3 Configuring the Switch AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. • Authorization — Determines if users can access specific services. • Accounting — Provides reports, auditing, and billing for services that users have accessed on the network.
User Authentication 3 Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) • Server Index - Spefies the RADIUS server and sequence to use for the group.
3 Configuring the Switch Web – Click Security, AAA, TACACS+ Group Settings. Enter the TACACS+ group name, followed by the number of the server, then click Add. Figure 3-36 AAA TACACS+ Group Settings CLI – Specify the group name for a list of TACACS+ servers, and then specify the index number of a TACACS+ server to add it to the group.
3 User Authentication Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-37 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters.
3 Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web – Click Security, AAA, Accounting, Periodic Update. Enter the required update interval and click Apply.
3 User Authentication Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-39 AAA Accounting 802.1X Port Settings CLI – Specify the accounting method to apply to the selected interface. Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps-method Console(config-if)# 4-93 AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels.
3 Configuring the Switch Web – Click Security, AAA, Accounting, Command Privilges. Enter a defined method name for console and Telnet privilege levels. Click Apply. Figure 3-40 AAA Accounting Exec Command Privileges CLI – Specify the accounting method to use for console and Telnet privilege levels.
User Authentication 3 AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply. Figure 3-41 AAA Accounting Exec Settings CLI – Specify the accounting method to use for Console and Telnet interfaces.
3 Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users.
User Authentication 3 Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type Username Interface Time elapsed : exec : admin : vty 0 since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services. Command Attributes • Method Name – Specifies an authorization method for service requests.
3 Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
User Authentication 3 Web – Click Security, AAA, Authorization, Summary. Figure 3-45 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
3 Configuring the Switch • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number.
User Authentication 3 Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
3 3. Configuring the Switch Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-73) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-48.) The clients are subsequently authenticated using these keys.
User Authentication 3 Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
3 Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-45 Console(config)#ip ssh timeout 100 4-46 Console(config)#ip ssh authentication-retries 5 4-46 Console(config)#ip ssh server-key size 512 4-47 Console(config)#end Console#show ip ssh 4-49 SSH Enabled - version 2.
3 User Authentication Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
3 Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
3 User Authentication Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
3 Configuring the Switch This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. 3. Client sends back identity information. RADIUS user identity and access 4. Switch forwards this to authentication server. server 5. Authentication server challenges client. rights.
User Authentication 3 Displaying 802.1X Global Settings The 802.1X protocol provides client authentication. Command Attributes • 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-50 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 4-105 802.1X Port Summary Port Name Status 1/1 disabled 1/2 disabled . . . 802.
3 Configuring the Switch Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-51 802.1X Global Configuration CLI – This example enables 802.1X globally for the switch. Console(config)#dot1x system-auth-control Console(config)# 4-99 Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
User Authentication 3 • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) • Intrusion Action – Sets the port’s response to a failed authentication. - Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.
3 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-105.
3 User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
3 Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-53 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4.
User Authentication 3 Notes: 1. MAC authentication, web authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied. 2. RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication” on page 3-50) 3. Web authentication cannot be configured on trunk ports.
3 Configuring the Switch CLI – This example globally enables the system authentication control, configures the session timeout, quiet period and login attempts, and displays the configured global parameters.
User Authentication 3 CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters.
3 Configuring the Switch CLI – This example displays web authentication parameters for port 1/5. Console#show web-auth interface ethernet 1/5 Web Auth Status : Enabled 4-119 Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------Console# Re-authenticating Web Authenticated Ports The switch allows an administrator to manually force re-authentication of any web-authenticated host connected to any port.
3 User Authentication The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
3 Configuring the Switch Web – Click Security, Network Access, Configuration. Figure 3-58 Network Access Configuration CLI – This example sets and displays the reauthentication time.
User Authentication 3 Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-59 Network Access Port Configuration CLI – This example configures MAC authentication for port 1.
3 Configuring the Switch Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries can be removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table. • Query By – Specifies parameters to use in the MAC address query. • Port – Specifies a port interface.
3 Access Control Lists CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
3 Configuring the Switch Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – There are three filtering modes: - Standard – IP ACL mode that filters packets based on the source IP address. - Extended – IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number.
Access Control Lists 3 indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
3 Configuring the Switch • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Source/Destination Port Bitmask – Decimal number representing the port bits to match.
3 Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
3 Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
Access Control Lists 3 Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
3 Configuring the Switch Command Attributes • • • • Port – Fixed port or SFP module. (Range: 1-26) IP – Specifies the IP ACL to bind to a port. MAC – Specifies the MAC ACL to bind to a port. IN – ACL for ingress packets. Web – Click Security, ACL, Port Binding. Click Edit to open the configuration page for the ACL type. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply.
3 Access Control Lists addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.
3 Configuring the Switch CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 4-37 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 10.1.2.3 10.1.2.
Port Configuration 3 Web – Click Port, Port Information or Trunk Information. Figure 3-67 Displaying Port/Trunk Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-15.) Configuration: • • • • • • • • Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e.
3 Configuring the Switch • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address that can be learned by a port. (0 - 1024 addresses) • Port security action – Shows the response to take when a security violation is detected. (shutdown, trap, trap-and-shutdown, or none) Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state.
3 Port Configuration • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) • Flow Control – Allows automatic or manual selection of flow control. • Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.
3 Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/3 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
Port Configuration 3 Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 12 trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
3 Configuring the Switch Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration 3 CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-26) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-70 LACP Trunk Configuration CLI – The following example enables LACP for ports 1 to 6.
Port Configuration 3 Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
3 Configuring the Switch partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Port Configuration 3 CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-150 Console(config-if)#lacp actor system-priority 3 4-168 Console(config-if)#lacp actor admin-key 120 4-169 Console(config-if)#lacp actor port-priority 128 4-171 Console(config-if)#exit . . .
3 Configuring the Switch Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
Port Configuration 3 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Interval Number of seconds before invalidating received LACPDU information.
3 Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-73 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
3 Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
3 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
Port Configuration 3 Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-75 Port Broadcast Control CLI – Set the threshold, then enable broadcast control on any interface. The following sets broadcast control threshold at 500 kbytes per second, and then enables broadcast storm control for port 1.
3 Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
Port Configuration 3 Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports.
3 Configuring the Switch CLI - This example sets the rate limit level for input traffic passing through port 3. Console#config Console(config)#interface ethernet 1/3 Console(config-if)#rate-limit input scale 80k level 5 Console(config-if)# 4-150 4-164 Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
3 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent.
3 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error. Received Bytes Total number of bytes of data received on the network.
Port Configuration 3 Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
3 Configuring the Switch CLI – This example shows statistics for port 13.
3 Address Table Settings Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-79 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
3 Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-80 Configuring a Dynamic Address Table CLI – This example also displays the address table entries for port 1.
Spanning Tree Algorithm Configuration 3 Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-98301 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-81 Setting the Address Aging Time CLI – This example sets the aging time to 300 seconds.
3 Configuring the Switch disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
3 Spanning Tree Algorithm Configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. • Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e.
3 Configuring the Switch • Root Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
Spanning Tree Algorithm Configuration 3 Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol7 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
3 Configuring the Switch address will then become the root device. (Note that lower numeric values indicate higher priority.) - Default: 32768 - Range: 0-61440, in steps of 4096 - Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. - Default: 2 - Minimum: 1 - Maximum: The lower of 10 or [(Max.
Spanning Tree Algorithm Configuration 3 Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name – The name for this MSTI. (Maximum length: 32 characters) • Maximum Hop Count – The maximum number of hops allowed in the MST region before a BPDU is discarded.
3 Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters.
Spanning Tree Algorithm Configuration 3 by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-135. • Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3-135 (i.e., true or false), but will be set to false if a BPDU is received, indicating that another bridge is attached to this port.
3 • • • • Configuring the Switch Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. Fast forwarding – This field provides the same information as Admin Edge port, and is only included for backward compatibility with earlier products.
Spanning Tree Algorithm Configuration 3 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding Path cost: 10000 Priority: 128 Designated cost: 0 Designated port : 128.5 Designated root: 32768.0012CF0B0D00 Designated bridge: 32768.
3 Configuring the Switch Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
3 Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-85 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7.
3 Configuring the Switch Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440; Default: 32768) • VLANs in MST Instance – VLANs assigned to this instance. • MST ID – Instance identifier to configure.
Spanning Tree Algorithm Configuration 3 CLI – This example sets STA attributes for port 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values.
3 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree.
3 Configuring the Switch - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding – Port forwards packets, and continues learning addresses. • Trunk – Indicates if a port is a member of a trunk.
3 VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-88 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if) VLAN Configuration IEEE 802.
3 Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Note: The switch allows 255 user-manageable VLANs.
VLAN Configuration 3 Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.
3 Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged VLANs, but are only allowed one untagged VLAN. Each port on the switch is capable of passing tagged or untagged frames.
3 VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number8 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information.
3 Configuring the Switch • Up Time at Creation – Time this VLAN was created (i.e., System Up Time). • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list.
VLAN Configuration 3 CLI – Current VLAN information can be displayed with the following command.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-92 Configuring a VLAN Static List CLI – This example creates a new VLAN.
VLAN Configuration 3 • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
3 Configuring the Switch CLI – The following example adds tagged and untagged ports to VLAN 2.
VLAN Configuration 3 Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
3 Configuring the Switch or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer9 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
VLAN Configuration 3 CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
3 Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network. The packet is sent as a normal IEEE 802.
VLAN Configuration 3 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
3 Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
VLAN Configuration 3 Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. Command Usage • Use the TPID field to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames. For example, if 0x1234 is set as the custom 802.
3 Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. 4-232 Console(config)#dot1q-tunnel system-tunnel-control Console(config)#exit Console#show dot1q-tunnel 4-234 Current double-tagged status of the system is Enabled The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel . . .
VLAN Configuration 3 Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-97 Tunnel Port Configuration CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode.
3 Configuring the Switch Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs.
3 VLAN Configuration • Primary VLAN – The VLAN with which the selected VLAN ID is associated. A primary VLAN displays its own ID, a community VLAN displays the associated primary VLAN, and an isolated VLAN displays the stand-alone VLAN. • Ports List – The list of ports (and assigned port type) in the selected private VLAN. Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu.
3 Configuring the Switch • Current – Displays a list of the currently configured VLANs. Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
3 VLAN Configuration Web – Click VLAN, Private VLAN, Association. Select the required primary VLAN from the scroll-down box, highlight one or more community VLANs in the Non-Association list box, and click Add to associate these entries with the selected primary VLAN. (A community VLAN can only be associated with one primary VLAN.) Figure 3-100 Private VLAN Association CLI – This example associates community VLANs 6 and 7 with primary VLAN 5.
3 Configuring the Switch Web – Click VLAN, Private VLAN, Port Information or Trunk Information. Figure 3-101 Private VLAN Port Information CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
VLAN Configuration 3 • Primary VLAN – Conveys traffic between promiscuous ports, and between promiscuous ports and community ports within the associated secondary VLANs. If PVLAN type is “Promiscuous,” then specify the associated primary VLAN. • Community VLAN – A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports. Set PVLAN Port Type to “Host,” and then specify the associated Community VLAN. • Trunk – The trunk identifier.
3 Configuring the Switch Protocol VLANs You can configure VLAN behavior to support multiple protocols to allow traffic to pass through different VLANs. When a packet is received at a port, its VLAN membership is determined by the protocol type of the packet. A maximum of 20 Protocol VLAN groups can be configured on the switch.
VLAN Configuration 3 Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-103 Protocol VLAN Configuration CLI - This example shows the switch configured with Protocol VLANs 1 and 2. Protocol VLAN 1 has been configured with the fixed and preconfigured IP parameters. Protocol VLAN 2 has been configured based on user defined input for IPv6 traffic (0x86DD) over ethernet.
3 Configuring the Switch Web – Click VLAN, Protocol VLAN, Port Configuration. Figure 3-104 Protocol VLAN Port Configuration CLI - This example shows ethernet interface 1 configured with Protocol VLAN Group 1 mapped to VLAN 5 and Protocol VLAN Group 2 mapped to VLAN 6.
Link Layer Discovery Protocol 3 Command Attributes • LLDP – Enables LLDP globally on the switch. (Default: Enabled) • Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) This attribute must comply with the following rule: (transmission-interval * holdtime-multiplier) ≤ 65536 • Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below.
3 Configuring the Switch Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters as required, and click Apply. Figure 3-105 LLDP Configuration CLI – This example sets several attributes which control basic LLDP message timing.
Link Layer Discovery Protocol 3 This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA-1057), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. For information on defining SNMP trap destinations, see “Specifying Trap Managers and Trap Types” on page 3-37.
3 Configuring the Switch • MED TLV Type – Configures the information included in the MED TLV field of advertised messages. - Port Capabilities – This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch. - Network Policy – This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
3 Link Layer Discovery Protocol CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise.
3 Configuring the Switch CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-197 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : Layer2+ Fast Ethernet Standalone Switch ES3526XA System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.
3 Link Layer Discovery Protocol CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP.
3 Configuring the Switch CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Link Layer Discovery Protocol 3 CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-198 LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
3 Configuring the Switch CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch.
Class of Service Configuration 3 Command Attributes • Default Priority10 – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply.
3 Configuring the Switch Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on Strict, Weighted Round Robin (WRR), or Hybrid. Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
Class of Service Configuration 3 Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-113 Traffic Classes CLI – The following example shows how to change the CoS assignments.
3 Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue, or you can choose a hybrid of these two methods.
3 Class of Service Configuration these queues (and thereby to the corresponding traffic priorities). This weight sets the limit for the amount of packets the switch will transmit each time the queue is serviced, and subsequently affects the response time for software applications assigned a specific priority value. A queue’s weight must be less than or equal to the weight of the next higher priority queue (that is, Q0 ≤Q1 ≤Q2 ≤Q3).
3 Configuring the Switch Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (TOS) octet or the number of the TCP port.
Class of Service Configuration 3 Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
3 Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS queue 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#map ip dscp 0 cos 1 Console(config)#end Console#show map ip dscp dscp Mapping Status: Enabled 4-252 4-252 4-257 DSCP COS ---- --0 1 1 0 2 0 3 0 . . .
Class of Service Configuration 3 Web* – Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS queue in the Class of Queue Service box, and then click Apply. Figure 3-119 IP Port Priority CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic to CoS queue 0, and then displays all the IP Port Priority settings on the switch.
3 Configuring the Switch Mapping IP Precedence Priority The Type of Service (TOS) octet in the IPv4 header includes three precedence bits (see page 3-192) defining eight different priority levels ranging from highest priority (7) for network control packets to lowest priority (0) for routine traffic. Bits 6 and 7 are used for network control, and the other bits for various application types. Precedence values are defined in the following table.
Class of Service Configuration 3 Web* – Click Priority, IP Precedence Priority. Select an IP Precedence value in the IP Precedence Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-121 Mapping IP Precedence to Class of Service Queues CLI* – The following example globally enables IP Precedence priority on the switch, maps IP Precedence value 2 to CoS queue 0, and then displays all the IP Precedence settings.
3 Configuring the Switch Mapping IP TOS Priority The Type of Service (TOS) octet in the IPv4 header is divided into three parts; Precedence (3 bits), TOS (4 bits), and MBZ (1 bit). The Precedence bits indicate the importance of a packet, whereas the TOS bits indicate how the network should make tradeoffs between throughput, delay, reliability, and cost (as defined in RFC 1394). The MBZ bit (for “must be zero”) is currently unused and is either set to zero or just ignored.
Class of Service Configuration 3 Web* – Click Priority, IP TOS Priority. Select an IP TOS value in the IP TOS Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-123 Mapping IP TOS to Class of Service Queues CLI* – The following example globally enables IP TOS priority on the switch, maps IP TOS value 2 to CoS queue 2, and then displays all the IP TOS settings.
3 Configuring the Switch Mapping CoS Values to ACLs Use the ACL CoS Priority page to set the output queue for packets matching a configured ACL rule. For information on configuring ACLs, see “Access Control Lists” on page 3-89. Command Usage You must configure an ACL before you can map a CoS queue to the rule. Command Attributes • • • • Port – Port identifier. Name – Name of a configured ACL. Type – Type of ACL (IP or MAC). CoS Priority – CoS queue used for packets matching the ACL rule.
3 Quality of Service Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
3 Configuring the Switch Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name” field, and click Add.
Quality of Service 3 • VLAN – A VLAN. (Range:1-4094) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.
3 Configuring the Switch CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.
Quality of Service 3 Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-196. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
3 Configuring the Switch • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-196). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
Quality of Service 3 Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
3 Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
VoIP Traffic Configuration 3 VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single Voice VLAN. The use of a Voice VLAN has several advantages.
3 Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-128 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
VoIP Traffic Configuration 3 address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “Link Layer Discovery Protocol” on page 3-170 for more information on LLDP. • Priority – Defines a CoS priority for the port traffic on the Voice VLAN.
3 Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status.
VoIP Traffic Configuration 3 Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
3 Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
3 Multicast Filtering these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources. IGMPv3 hosts may also request that service be forwarded from all sources except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Notes: 1.
3 Configuring the Switch the multicast filtering table is already full, the switch will continue flooding the traffic into the VLAN. • IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier” and assumes the role of querying the LAN for group members.
3 Multicast Filtering Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-131 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
3 Configuring the Switch is determined by the IGMP Query Report Delay (see “Configuring IGMP Snooping and Query Parameters” on page 3-209). • If immediate leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
3 Multicast Filtering support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router/switch for each VLAN ID. Command Attributes • VLAN ID – ID of configured VLAN (1-4094).
3 Configuring the Switch • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
3 Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service.
3 Configuring the Switch address, and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-136 IGMP Member Port Table CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 Console(config)#exit Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr.
3 Multicast Filtering Note: IGMP filtering and throttling only applies to dynamically learned multicast groups. It does not apply to statically configured groups. Enabling IGMP Filtering and Throttling To implement IGMP filtering and throttling on the switch, you must first enable the feature globally and create IGMP profile numbers. Command Attributes • IGMP Filter – Enables IGMP filtering and throttling globally for the switch. (Default: Disabled) • IGMP Profile – Creates IGMP profile numbers.
3 Configuring the Switch Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicust group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when the multicast group is not in the controlled range. Command Attributes • Profile ID – Selects an existing profile number to configure.
Multicast Filtering 3 Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list. Click Apply. Figure 3-138 IGMP Profile Configuration CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join.
3 Configuring the Switch • An IGMP profile or throttling setting can also be applied to a trunk interface. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”.
Multicast VLAN Registration 3 CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed.
3 Configuring the Switch Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 3-222). 2.
Multicast VLAN Registration 3 • MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied. • MVR VLAN – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR. (Range: 1-4094; Default: 1) • MVR Group IP – IP address for an MVR multicast group. The IP address range of 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
3 Configuring the Switch • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. • Immediate Leave – Shows if immediate leave is enabled or disabled. • Trunk Member13 – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Information.
3 Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-142 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr MVR Group IP ---------------225.0.0.1 225.0.0.2 225.0.0.3 225.0.0.4 225.0.0.5 225.0.0.6 225.0.0.7 225.0.0.8 225.0.0.9 225.0.0.
3 Configuring the Switch • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
3 Multicast VLAN Registration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
3 Configuring the Switch CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 Console(config-if)#mvr group 228.1.23.1 Console(config-if)# 4-293 DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
DHCP Snooping 3 If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
3 Configuring the Switch Web – Click DHCP Snooping, VLAN Configuration. Figure 3-146 DHCP Snooping VLAN Configuration CLI – This example first enables DHCP Snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# 4-304 DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
DHCP Snooping 3 Web – Click DHCP Snooping, Information Option Configuration. Figure 3-147 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace. Console(config)#ip dhcp snooping information option Console(config)#ip dhcp snooping information policy replace Console(config)# 4-306 4-307 DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted.
3 Configuring the Switch CLI – This example shows how to enable the DHCP Snooping Trust Status for ports.
3 IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-228). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
3 Configuring the Switch CLI – This example shows how to enable IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)#end Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . . 4-309 4-312 Static IP Source Guard Binding Configuration Adds a static addresses to the source-guard binding table.
IP Source Guard 3 Web – Click IP Source Guard, Static Configuration. Figure 3-150 Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config)# 4-311 Dynamic IP Source Guard Binding Information Displays the source-guard binding table for a selected interface.
3 Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-151 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5. Console#show ip source-guard binding 4-312 MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.
Switch Clustering 3 switches only become cluster Members when manually selected by the administrator through the management station. After the Commander and Members have been configured, any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu. From the Commander CLI prompt, use the “rcommand” command (see page 4-315) to connect to the Member switch.
3 Configuring the Switch Web – Click Cluster, Configuration. Figure 3-153 Cluster Configuration CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster Console(config)#cluster commander Console(config)#cluster ip-pool 10.2.3.4 Console(config)# 4-313 4-314 4-314 Cluster Member Configuration Adds Candidate switches to the cluster as Members.
3 Switch Clustering Web – Click Cluster, Member Configuration. Figure 3-154 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# 4-315 Cluster Member Information Displays current cluster Member switch information. Command Attributes • • • • • Member ID – The ID number of the Member switch.
3 Configuring the Switch CLI – This example shows information about cluster Member switches. Vty-0#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# 4-316 Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
UPnP 3 UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. The first step in UPnP networking is discovery. When a device is added to the network, the UPnP discovery protocol allows that device to broadcast its services to control points on the network.
3 Configuring the Switch CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands 4 The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information protocol-group Protocol group status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.
4 Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
4 Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
4 Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Command Groups 4 Command Groups The system commands can be broken down into the functional groups shown below.
4 Command Line Interface Table 4-4 Command Groups (Continued) Command Group Description Page IP Cluster Configures switch clustering 4-313 UPnP Configures UPnP settings 4-317 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) SG (Server Group) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Polic
Line Commands 4 line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users.
4 Command Line Interface - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
4 Line Commands during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-11) password-thresh (4-14) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default.
4 Command Line Interface Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled.
Line Commands 4 Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. • This command applies to both the local console and Telnet connections.
4 Command Line Interface Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
4 Line Commands Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
4 Command Line Interface Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection.
General Commands 4 Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands Table 4-6 General Commands Command Function Mode enable Activates privileged mode NE Page disable Returns to norm
4 Command Line Interface Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-36.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
General Commands 4 configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration. See “Understanding Command Modes” on page 4-5.
4 Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# reload This command restarts the system.
General Commands 4 exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program.
4 Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
System Management Commands 4 Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host.
4 Command Line Interface Table 4-9 Banner Commands Command Function banner configure equipment-location Configures the Equipment Location information that is displayed GC by banner Mode Page 4-30 banner configure ip-lan Configures the IP and LAN information that is displayed by banner GC 4-30 banner configure lp-number Configures the LP Number information that is displayed by banner GC 4-31 banner configure manager-info Configures the Manager contact information that is displayed by GC bann
System Management Commands 4 Example Console(config)#banner configure Company: Edge-corE Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St.
4 Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
System Management Commands 4 Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure department command interprets spaces as data input boundaries.
4 Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
System Management Commands 4 ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.
4 Command Line Interface banner configure manager-info This command allows the administrator to configure the manager contact information displayed in the banner. Use the no form to remove the manager contact information from the banner display. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
System Management Commands 4 no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
4 Command Line Interface Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmwareupgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected Console(config)# show banner This command displays all banner information.
4 System Management Commands User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-10), user authentication via a remote authentication server (page 4-78), and host access authentication for specific ports (page 4-99).
4 Command Line Interface Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.
4 System Management Commands Related Commands enable (4-19) authentication enable (4-80) IP Filter Commands Table 4-12 IP Filter Commands Command Function management Configures IP addresses that are allowed management access GC Mode Page 4-37 show management Displays the switch to be monitored or configured from a browser 4-38 PE management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
4 Command Line Interface • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
System Management Commands 4 Web Server Commands Table 4-13 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC Page 4-39 ip http server Allows the switch to be monitored or configured from a browser GC 4-39 ip http secure-server Enables HTTPS for encrypted communications GC 4-40 ip http secure-port Specifies the UDP port number for HTTPS GC 4-41 ip http port This command specifies the TCP port number used by the web browse
4 Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-39) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
4 System Management Commands Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-41) copy tftp https-certificate (4-73) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
4 Command Line Interface Telnet Server Commands Table 4-15 Telnet Server Commands Command Function Mode ip telnet port Specifies the port to be used by the Telnet interface GC Page 4-39 ip telnet server Allows the switch to be monitored or configured from Telnet GC 4-39 ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
System Management Commands 4 Related Commands ip telnet port (4-42) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
4 Command Line Interface The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-79.
4 System Management Commands corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: a. b. c. The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
4 Command Line Interface ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
System Management Commands 4 Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-49) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
4 Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
System Management Commands 4 Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
4 Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
System Management Commands 4 show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
4 Command Line Interface Event Logging Commands Table 4-18 Event Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 4-52 logging history Limits syslog messages saved to switch memory based on severity GC 4-53 logging host Adds a syslog server host IP address that will receive logging messages GC 4-54 logging facility Sets the facility type for remote logging of syslog messages GC 4-54 logging trap Limits syslog messages saved to a remote server
4 System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
4 Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the level arguments listed below. Messages sent include the selected level up through level 0. (Refer to the table on page 4-53.
4 Command Line Interface Related Commands show logging (4-56) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
4 System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
4 Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [3] 00:00:54 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [2] 00:00:50 2001-01-01 "STA topology change notification.
4 System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
4 Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages.
System Management Commands 4 logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------1. 192.
4 Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
System Management Commands 4 Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.
4 Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
4 System Management Commands clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • • • • • name - Name of timezone, usually an acronym. (Range: 1-29 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock.
System Management Commands 4 Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
4 Command Line Interface Related Commands show running-config (4-68) show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
4 System Management Commands Example Console#show running-config building startup-config, please wait..... ! phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
4 Command Line Interface show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-11. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: Layer2+ Fast Ethernet Standalone Switch ES3526XA System OID String: 1.3.
System Management Commands 4 Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.
4 Command Line Interface Frame Size Commands Table 4-25 Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC Page 4-72 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes.
Flash/File Commands 4 Flash/File Commands These commands are used to manage the system code or configuration files.
4 Command Line Interface Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Due to the size limit of the flash memory, the switch supports only two operation code files.
4 Flash/File Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.
4 Command Line Interface Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. • A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.cfg configuration file from flash memory for unit 1. Console#delete 1:test2.
Flash/File Commands 4 • File information is shown below: Table 4-27 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
4 Command Line Interface Syntax boot system [unit:] {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • • • • • boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of the configuration file or code image. unit* - Specifies the unit number. (Range: 1) * The colon (:) is required.
Authentication Commands 4 Table 4-28 Authentication Commands Command Group Function Page Network Access Configures MAC authentication and dynamic VLAN assignment 4-108 Web Authentication Configures Web authentication 4-115 Authentication Sequence Table 4-29 Authentication Sequence Command Function Mode authentication login Defines logon authentication method and precedence GC Page 4-79 authentication enable Defines the authentication method and precedence for command mode change GC 4-80
4 Command Line Interface Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-35) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-19). Use the no form to restore the default.
4 Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server port used for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port port_number - RADIUS server UDP port used for authentication messages.
4 Authentication Commands radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
4 Command Line Interface radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Authentication Commands TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Command Line Interface Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
4 Authentication Commands tacacs-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax tacacs-server retransmit number_of_retries no tacacs-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
4 Command Line Interface Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: 49 Retransmit Times : 2 Request Times : 5 Server 1: Server IP address: 1.2.3.
4 Authentication Commands aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name • radius - Defines a RADIUS server group. • tacacs+ - Defines a TACACS+ server group. • group-name - A text string that names a security server group.
4 Command Line Interface aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
4 Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
4 Command Line Interface aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} • level - The privilege level for executing commands. (Range: 0-15) • default - Specifies the default accounting method for service requests.
4 Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
4 Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec • default - Specifies the default method list created with the aaa accounting exec command (page 4-91).
Authentication Commands 4 Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ |server-group} no aaa authorization exec {default | method-name} • default - Specifies the default authorization method for Exec access.
4 Command Line Interface authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-95). • list-name - Specifies a method list created with the aaa authorization exec command.
Authentication Commands 4 Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Port Security Commands These commands can be used to enable port security on a port.
4 Command Line Interface port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
Authentication Commands 4 Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (4-155) mac-address-table static (4-175) show mac-address-table (4-176) 802.1X Port Authentication The switch supports IEEE 802.
4 Command Line Interface [no] dotx system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Authentication Commands 4 dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access. • force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise.
4 Command Line Interface Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-101). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Authentication Commands 4 dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
4 Command Line Interface dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Authentication Commands 4 dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
4 Command Line Interface - Status Operation Mode Mode Authorized – Administrative state for port access control. – Dot1x port control operation mode (page 4-101). – Dot1x port control mode (page 4-101). – Authorization status (yes or n/a - not authorized). • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled – Periodic re-authentication (page 4-102).
Authentication Commands - Identifier(Server) 4 – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. • Reauthentication State Machine - State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . .
4 Command Line Interface Network Access – MAC Address Authentication The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
Authentication Commands 4 Command Usage • When enabled on a port interface, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The username and password are both equal to the MAC address being authenticated. • On the RADIUS server, PAP username and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). • The RADIUS server may optionally return a VLAN identifier list.
4 Command Line Interface Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed. Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# mac-authentication intrusion-action Use this command to configure the port response to a host MAC authentication failure.
Authentication Commands 4 Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment.
4 Command Line Interface Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (“vlan database” on page 4-223). • When used with 802.1x authentication, the intrusion-action configuration must be set for ‘guest-vlan’ to be effective (“dot1x intrusion-action” on page 4-105).
4 Authentication Commands clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • • • • static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number.
4 Command Line Interface Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 --------------------------------------------------------------------------------------------------Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment : Enabled Guest VLAN : Disabled Console# show network-access mac-address-table
Authentication Commands 4 Example Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
4 Command Line Interface Table 4-36 Web Authentication (Continued) Command Function Mode Page web-auth re-authenticate (IP) Ends the web authentication session associated with the PE designated IP and forces the user to re-authenticate 4-119 show web-auth summary 4-119 Displays a summary of web authentication port parameters and statistics PE web-auth login-attempts This command defines the limit for failed web authentication login attempts.
4 Authentication Commands Example Console(config)#web-auth quiet-period 120 Console(config)# web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session-timeout time has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.
4 Command Line Interface web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active. Example Console(config-if)#web-auth Console(config-if)# show web-auth This command displays global web authentication parameters.
Authentication Commands 4 show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number.
4 Command Line Interface web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-26) • ip - IPv4 formatted IP address.
Authentication Commands 4 Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled 1/ 6 Disabled 1/ 7 Disabled 1/ 8 Disabled 1/ 9 Disabled 1/10 Disabled Console# : Enabled Authenticated Host Count -----------------------0 0 0 0 0 0 0 0 0 0 4-121
4 Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port. Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria.
Access Control List Commands 4 IP ACLs Table 4-38 IP ACLs Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode GC 4-123 permit, deny Filters packets matching a specified source IP address STD-ACL 4-124 permit, deny Filters packets meeting the specified criteria, including EXT-ACL source and destination IP address, TCP/UDP port number, and protocol type 4-124 show ip access-list Displays the rules for configured IP ACLs PE 4-126 ip access-group Adds
4 Command Line Interface Related Commands permit, deny 4-124 ip access-group (4-126) show ip access-list (4-126) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match.
Access Control List Commands 4 Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] • • • • • • • • protocol-number – A specific protocol number.
4 Command Line Interface This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-123) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL.
Access Control List Commands 4 Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
4 Command Line Interface Table 4-39 MAC ACL Commands Command Function Mode Page mac access-group Adds a port to a MAC ACL IC 4-131 show mac access-group Shows port assignments for MAC ACLs PE 4-131 access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL.
4 Access Control List Commands permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] Note:- The default is for Ethernet II packets.
4 Command Line Interface Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060.
4 Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
4 Command Line Interface ACL Information Table 4-40 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-132 show access-group Shows the ACLs assigned to each port PE 4-132 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e.
SNMP Commands 4 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
4 Command Line Interface snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
SNMP Commands 4 Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2.
4 Command Line Interface • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
4 SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-136) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
4 Command Line Interface • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. • The snmp-server host command is used in conjunction with the snmp-server enable traps command.
4 SNMP Commands supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command. Otherwise, the authentication password and/or privacy password will not exist, and the switch will not authorize SNMP access for the host.
4 Command Line Interface conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-143). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-137) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
SNMP Commands 4 • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-146). Example Console(config)#snmp-server engine-id local 123456789 Console(config)#snmp-server engineID remote 987654321 192.168.1.
4 Command Line Interface snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) • oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
4 SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 4-43 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
4 Command Line Interface Default Setting • • • • Default groups: public17 (read only), private18 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
SNMP Commands 4 show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
4 Command Line Interface Table 4-44 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View.
4 SNMP Commands Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-140) to specify the engine ID for the remote device where the user resides.
4 Command Line Interface show snmp user This command shows information on SNMP users.
SNMP Commands 4 4-149
4 Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
4 Interface Commands Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
4 Interface Commands • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-153) speed-duplex (4-151) capabilities This command advertises the port capabilities of a given interface during autonegotiation.
4 Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-152) speed-duplex (4-151) flowcontrol (4-154) flowcontrol This command enables flow control. Use the no form to disable flow control.
4 Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-152) capabilities (flowcontrol, symmetric) (4-153) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
4 Command Line Interface broadcast byte-rate This command configures broadcast storm control threshold. Syntax broadcast byte-rate scale level level • scale – The threshold scale. (Options: 1, 10, 100, 1000 Kbytes per second) • level – The threshold level. (Range: 1-127) Default Setting Threshold Scale: 1000 Kbytes per second Threshold Level: 5 Command Mode Global Configuration Command Usage • When broadcast traffic exceeds the specified threshold, packets above that threshold are dropped.
Interface Commands 4 Example The following shows how to enable broadcast storm control for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface • port-channel channel-id (Range: 1-12) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 3-98.
4 Interface Commands • port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 3-118.
4 Command Line Interface - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 2.
Interface Commands Table 4-47 4 Interfaces Switchport Statistics Field Description Native VLAN Indicates the default Port VLAN ID (page 4-228). Priority for untagged traffic Indicates the default priority for untagged frames (page 4-246). Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-221). Allowed Vlan Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (page 4-229).
4 Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-48 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-162 show port monitor Shows the configuration for a mirror port PE 4-163 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
Mirror Port Commands 4 Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-26) Default Setting Shows all sessions.
4 Command Line Interface Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
Link Aggregation Commands 4 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
4 Command Line Interface Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
Link Aggregation Commands 4 Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
4 Command Line Interface Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established.
4 Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
4 Command Line Interface • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Link Aggregation Commands 4 lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
4 Command Line Interface Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
Link Aggregation Commands Table 4-52 Field 4 show lacp internal - display description Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
4 Command Line Interface Table 4-53 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner. Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner.
4 Address Table Commands Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
4 Command Line Interface Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
4 Address Table Commands • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
4 Command Line Interface Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
LLDP Commands Table 4-56 4 LLDP Commands (Continued) Command Function Mode lldp reinit-delay Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down GC Page 4-183 lldp tx-delay Configures a delay between the successive transmission of GC advertisements initiated by a change in local LLDP MIB variables 4-183 lldp admin-status Enables LLDP transmit, receive, or transmit and receive mode on the specified port IC 4-184 lldp notification Enabl
4 Command Line Interface Table 4-56 LLDP Commands (Continued) Command Function Mode lldp medtlv med-cap Configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities IC Page 4-194 lldp medtlv network-policy Configures an LLDP-MED-enabled port to advertise its network policy configuration IC 4-194 show lldp config Shows LLDP configuration settings for all ports PE 4-195 show lldp info local-device Shows LLDP global and interface-specific configuration settings for
LLDP Commands 4 Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism.
4 Command Line Interface Default Setting 5 seconds Command Mode Global Configuration Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
4 LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
4 Command Line Interface • This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. • tx-only - Only transmit LLDP PDUs.
LLDP Commands 4 the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-137). • Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
4 Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature.
4 LLDP Commands Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
4 Command Line Interface Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
4 LLDP Commands Syntax [no] lldp dot1-tlv proto-ident Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information. Use the no form to disable this feature.
4 Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-228). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name.
4 LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
4 Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands” on page 4-72 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities.
4 LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device does not support PoE capabilities.
4 Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
LLDP Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
4 Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP LLDP Enable Transmit interval Hold Time Multiplier Delay Interval Reinit Delay Notification Interval MED fast start counts : : : : : : : Yes 30 4 2 2 5 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- ------------------Eth 1/1 | Tx-Rx True Eth 1/2 | Tx-Rx True Eth 1/3 | Tx-Rx True Eth 1/4 | Tx-Rx True Eth 1/5 | Tx-Rx True . . .
4 LLDP Commands show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
LLDP Commands 4 • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Example switch#show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
4 Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
4 Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
4 Command Line Interface - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
4 Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
4 Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Spanning Tree Commands 4 Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
4 Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
4 Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
4 Command Line Interface Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands 4 revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 4-208) and revision number are used to designate a unique MST region. A bridge (i.e.
4 Command Line Interface specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface.
4 Spanning Tree Commands • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 • 10 Gigabit Ethernet – full duplex: 1000; trunk: 500 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices.
4 Command Line Interface Related Commands spanning-tree cost (4-210) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Spanning Tree Commands 4 Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
4 Command Line Interface • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
Spanning Tree Commands 4 Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (4-215) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default.
4 Command Line Interface spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Spanning Tree Commands 4 Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
4 Command Line Interface --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000 Designated bridge: 32768.0.
VLAN Commands 4 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
4 Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
VLAN Commands 4 switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
VLAN Commands 4 show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Default Setting Shows all GARP timers.
4 Command Line Interface Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
4 VLAN Commands Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
4 Command Line Interface Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-155) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
VLAN Commands 4 switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
VLAN Commands 4 switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged. Setting a VLAN untagged will also change the native VLAN of the port to this VLAN.
4 Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
4 VLAN Commands Displaying VLAN Information Table 4-62 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-231 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-157 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-159 show vlan This command shows VLAN information.
4 Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
4 VLAN Commands Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (4-234) show interfaces switchport (4-159) switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface.
4 Command Line Interface switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
VLAN Commands 4 Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel . . . .
4 Command Line Interface Table 4-64 Private VLAN Commands Command Function Mode Page private-vlan association Associates a community VLAN with a primary VLAN VC 4-237 Configure Private VLAN Interfaces switchport mode private-vlan Sets an interface to host mode or promiscuous mode IC 4-238 switchport private-vlan host-association Associates an interface with a secondary VLAN IC 4-239 switchport private-vlan isolated Associates an interface with an isolated VLAN IC 4-239 switchport priv
4 VLAN Commands private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4094, no leading zeroes). • community - A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN.
4 Command Line Interface no private-vlan primary-vlan-id association • primary-vlan-id - ID of primary VLAN. (Range: 1-4094, no leading zeroes). • secondary-vlan-id - ID of secondary (i.e, community) VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members. The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN (e.g.
4 VLAN Commands • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command. Example Console(config)#interface ethernet Console(config-if)#switchport mode Console(config-if)#exit Console(config)#interface ethernet Console(config-if)#switchport mode Console(config-if)# 1/2 private-vlan promiscuous 1/3 private-vlan host switchport private-vlan host-association Use this command to associate an interface with a secondary VLAN.
4 Command Line Interface Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Host ports assigned to a isolated VLAN cannot pass traffic between group members, and must communicate with resources outside of the group via a promiscuous port. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan isolated 3 Console(config-if)# switchport private-vlan mapping Use this command to map an interface to a primary VLAN.
VLAN Commands 4 show vlan private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces. • isolated – Displays an isolated VLAN, along with the assigned promiscuous interface and host interfaces. The Primary and Secondary fields both display the isolated VLAN ID.
4 Command Line Interface Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
VLAN Commands 4 manually defines the protocol-type with it’s hexadecimal code instead of choosing the preconfigured apple_talk, ip, or ipx protocol-types. The three preconfigured protocol-types match all frame-types. Default Setting No protocol groups are configured. Command Mode Global Configuration Example The following creates protocol group 1, and specifies the IPX protocol type.
4 Command Line Interface - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
4 VLAN Commands show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Default Setting The mapping for all interfaces is displayed.
4 Command Line Interface Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
4 Priority Commands • hybrid - Services the highest priority queue (3) according to strict priority queuing, after which the 3 lower priority queues (0, 1, 2) are processed according to their WRR weightings.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
4 Priority Commands • Each queue’s weight must be less than or equal to the weight of the next higher priority queue (that is, Q0 ≤Q1 ≤Q2 ≤Q3). Example This example shows how to assign WRR weights to priority queues 0 - 2: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands show queue bandwidth (4-250) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3). Use the no form set the CoS map to the default values.
4 Command Line Interface Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1 Console(config-if)#queue cos-map 2 2 Console(config-if)#exit Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 0 1 2 1 2 2 3 3 Console# Related Commands show queue cos-map (4-251) show queue mode This command shows the current queue mode.
Priority Commands 4 Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Priority Commands (Layer 3 and 4) Table 4-69 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Configures IP DSCP to CoS queue mapping GC 4-252 map ip port Configures TCP port to CoS queue mapping GC 4-253 map ip precedence Configures IP precedence to CoS queue mapping GC 4-258 map ip tos Configures IP ToS to CoS queue mapping GC 4-258 map access-list ip Sets the output queue for packets matching an IP ACL rule IC 4-256 map access-l
4 Priority Commands Command Usage • The command map ip dscp enables the feature on the switch. The command map ip dscp dscp-value cos cos-queue maps DSCP values to port CoS queues. • The precedence for priority mapping is IP Port, IP Precedence/DSCP/TOS, and default switchport priority. • This command sets the IP DSCP priority for all interfaces. • IP Precedence, IP DSCP, and IP TOS Priority cannot all be enabled at the same time. Enabling one of these priority types automatically disables the others.
4 Command Line Interface Example The following example shows how to map HTTP traffic to CoS queue 0, then enable the feature globally on the switch. Console(config)#map ip port 80 cos 0 Console(config)#map ip port Console(config)# map ip precedence Use this command to enable and set IP precedence priority mapping. Use the no form to disable the feature or restore a default setting.
4 Priority Commands Example The following example shows how to map IP precedence value 1 to CoS value 0 and enable the feature on the switch. Console(config)#map ip precedence 1 cos 0 Console(config)#map ip precedence map ip tos Use this command to enable and set IP TOS priority mapping (i.e., IP Type of Service priority mapping). Use the no form to disable the feature or restore a default setting. Syntax map ip tos [tos-value cos cos-queue] no map ip tos [tos-value] • tos-value - 4-bit TOS value.
4 Command Line Interface Example The following example shows how to map IP TOS value 0 to CoS value 1 and enable the feature on the switch. Console(config)#map ip tos 0 cos 1 Console(config)#map ip tos map access-list ip This command sets the output queue for packets matching an IP ACL rule. Use the no form to remove the CoS queue mapping. Syntax [no] map access-list ip acl_name cos cos-queue • acl_name – Name of the IP ACL. (Maximum length: 16 characters) • cos-queue – Port CoS queue.
4 Priority Commands Command Usage You must configure an ACL before you can map a CoS queue to the rule. Example Console(config)#interface ethernet 1/2 Console(config-if)#map access-list mac steve cos 0 Console(config-if)# show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp Command Mode Privileged Exec Example Console#show map ip dscp dscp Mapping Status: Disabled DSCP COS ---- --0 1 1 0 2 0 3 0 . . .
4 Command Line Interface Example The following shows that FTP traffic has been mapped to CoS value 2: Console#show map ip port TCP Port Mapping Status: Disabled Port no. COS -------- --21 2 Console# Related Commands map ip port (4-253) show map ip precedence Use this command to show the IP precedence priority map.
Priority Commands 4 Example Console#show map ip tos tos Mapping Status: Disabled TOS COS --- --0 0 1 0 2 1 3 0 4 2 5 0 6 0 7 0 8 3 9 0 10 0 11 0 12 0 13 0 14 0 15 0 Console# Related Commands map ip tos (4-255) show map access-list This command shows the CoS queue mapped to an ACL for the current interface. Syntax show map access-list [interface] • ip - Specifies IP ACLs. • mac - Specifies MAC ACLs. • interface - ethernet unit/port - unit - This is device 1. - port - Port number.
4 Command Line Interface Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Quality of Service Commands 4 Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 4-261) before creating a Policy Map (page 4-263). Otherwise, you will not be able to specify a Class Map with the class command (page 4-263) after entering Policy-Map Configuration mode. class-map This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode.
4 Command Line Interface match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) • dscp - A DSCP value. (Range: 0-63) • ip-precedence - An IP Precedence value. (Range: 0-7) • vlan - A VLAN.
Quality of Service Commands 4 policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
4 Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
Quality of Service Commands 4 Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
4 Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Quality of Service Commands 4 show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
4 Command Line Interface Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Voice VLAN Commands Table 4-74 Command 4 Voice VLAN Commands Mode Page switchport voice vlan security Enables Voice VLAN security on ports Function IC 4-272 switchport voice vlan priority Sets the VoIP traffic priority for ports IC 4-273 show voice vlan Displays Voice VLAN settings PE 4-274 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
4 Command Line Interface voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
Voice VLAN Commands 4 Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
4 Command Line Interface switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} • oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. • lldp - Uses LLDP to discover VoIP devices attached to the port.
4 Voice VLAN Commands Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped. • When enabled, be sure the MAC address ranges for VoIP devices are configured in the Telephony OUI list.
4 Command Line Interface show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings.
Multicast Filtering Commands 4 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
4 Command Line Interface Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface • vlan-id - VLAN ID (Range: 1-4094) • ip-address - IP address for multicast group • interface • ethernet unit/port - unit - Stack unit.
Multicast Filtering Commands 4 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version. If there are legacy devices in your network that only support Version 1, you will also have to configure this switch to use Version 1.
4 Command Line Interface Example Console(config)#ip igmp snooping leave-proxy Console(config)# ip igmp snooping immediate-leave This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
4 Multicast Filtering Commands Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-209 for a description of the displayed items.
4 Command Line Interface Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Multicast Filtering Commands 4 Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
4 Command Line Interface Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Multicast Filtering Commands 4 ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
4 Command Line Interface ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface • vlan-id - VLAN ID (Range: 1-4094) • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Default Setting No static multicast router ports are configured.
Multicast Filtering Commands 4 Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static 2 Eth 1/12 Static Console# IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users.
4 Command Line Interface Command Mode Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile.
Multicast Filtering Commands 4 Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
4 Command Line Interface ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. Syntax [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
Multicast Filtering Commands 4 action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. • IGMP throttling can also be set on a trunk interface. When ports are configured as trunk members, the trunk uses the throttling settings of the first port member in the trunk.
4 Command Line Interface - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
4 Multicast VLAN Registration Commands show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-12) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces.
4 Command Line Interface and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong.
Multicast VLAN Registration Commands 4 Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
4 Command Line Interface Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN. IGMP snooping can be used to allow a receiver port to dynamically join or leave multicast groups within the MVR VLAN.
4 Multicast VLAN Registration Commands show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword. Syntax show mvr [interface [interface] | members [ip-address]] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status ------- -------------------eth1/1 SOURCE ACTIVE/UP eth1/2 RECEIVER ACTIVE/UP eth1/5 RECEIVER INACTIVE/DOWN eth1/6 RECEIVER INACTIVE/DOWN eth1/7 RECEIVER INACTIVE/DOWN Console# Table 4-82 Immediate Leave --------------Disable Disable Disable Disable Disable show mvr interface - display description Field Description Port Shows interfaces attached to th
IP Interface Commands 4 IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
4 Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch.
IP Interface Commands 4 ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
4 Command Line Interface show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-298) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • host - IP address or IP alias of the host. • size - Number of bytes in a packet.
IP Interface Commands 4 Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.
4 Command Line Interface DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
DHCP Snooping Commands 4 • When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. • Table entries are only learned for untrusted interfaces. Each entry includes a MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier. • When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second.
4 Command Line Interface Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (4-304) ip dhcp snooping trust (4-305) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
4 DHCP Snooping Commands ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
4 Command Line Interface ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
DHCP Snooping Commands 4 • When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. • DHCP snooping must be enabled on the switch for the DHCP Option 82 information to be inserted into packets.
4 Command Line Interface ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
IP Source Guard Commands 4 show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.
4 Command Line Interface Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. • Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port.
IP Source Guard Commands 4 Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-311) ip dhcp snooping (4-302) ip dhcp snooping vlan (4-304) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
4 Command Line Interface - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Example This example configures a static source-guard binding on port 5.
Switch Cluster Commands 4 Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station uses Telnet to communicate directly with the Commander throught its IP address, and the Commander manages Member switches using cluster “internal” IP addresses. There can be up to 36 Member switches in one cluster.
4 Command Line Interface Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage • Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network.
Switch Cluster Commands 4 switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36. • Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
4 Command Line Interface Command Mode Privileged Exec Command Usage • This command only operates through a Telnet connection to the Commander switch. Managing cluster Members using the local console CLI on the Commander is not supported. • There is no need to enter the username and password for access to the Member switch CLI. Example Vty-0#rcommand id 1 CLI session with the 24/48 L2/L4 GE Switch is opened. To end the CLI session, enter [Exit].
UPnP Commands 4 show cluster candidates This command shows the discovered Candidate switches in the network.
4 Command Line Interface Example In the following example, UPnP is enabled on the device. Console(config)#upnp device Console(config)# Related Commands upnp device ttl (4-318) upnp device advertise duration (4-318) upnp device ttl This command sets the time-to-live (TTL) value for sending of UPnP messages from the device. Syntax upnp device ttl {value} • value - The number of router hops a UPnP packet can travel before it is discarded.
UPnP Commands 4 Command Mode Global Configuration Example In the following example, the device advertise duration is set to 200 seconds. Console(config)#upnp device advertise duration 200 Console(config)# Related Commands upnp device ttl (4-318) show upnp This command displays the UPnP management status and time out settings.
4 Command Line Interface 4-320
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.
A Software Specifications Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Soft
Management Information Bases A RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.
A A-4 Software Specifications
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index Numerics 802.1Q tunnel 3-155, 4-232 description 3-155 interface configuration 3-160, 4-233–4-234 mode selection 3-160 TPID 4-234 802.
Index E edge port, STA 3-134, 3-136, 4-212 event logging 4-52 F firmware displaying version 3-12, 4-71 upgrading 3-19, 4-73 G GARP VLAN Registration Protocol See GVRP gateway, default 3-15, 4-298 GVRP global setting 3-146, 4-220 interface configuration 3-153, 4-221 H hardware version, displaying 3-12, 4-71 HTTPS 3-65, 4-40 HTTPS, secure server 3-65, 4-40 I IEEE 802.1D 3-125, 4-201 IEEE 802.1s 4-201 IEEE 802.1w 3-125, 4-201 IEEE 802.
Index MSTP 4-201 global settings 4-200 interface settings 4-200 multicast filtering 3-208, 3-221, 3-236, 4-275 multicast groups 3-214, 4-279 displaying 4-279 static 3-214, 4-276, 4-277, 4-279 multicast services configuring 3-215, 3-222, 3-223, 3-225, 4-276, 4-277 displaying 3-214, 4-279 multicast, filtering and throttling 4-285 multicast, static router port 3-213, 4-284 MVR setting interface type 4-293 setting multicast groups 4-292 specifying a VLAN 4-292 using immediate leave 4-293 N network access authe
Index Simple Network Management Protocol See SNMP SNMP 3-35 community string 3-36, 3-41, 3-43, 3-44, 3-46, 4-135 enabling traps 3-37, 4-139 filtering IP addresses 3-96 trap manager 3-37, 4-137 software displaying version 3-12, 4-71 downloading 3-19, 4-73 Spanning Tree Protocol See STA specifications, software A-1 SSH, configuring 3-67, 4-46 STA 3-125, 4-200 edge port 3-134, 3-136, 4-212 global settings, configuring 3-129, 4-201–4-206 global settings, displaying 3-126, 4-216 interface settings 3-132, 4-210–4
Index W Web interface access requirements 3-1 configuration buttons 3-3 home page 3-2 menu list 3-4 panel display 3-3 Index-5
Index Index-6
ES3526XA E122008-MW-R03 149100034800A
