Powered by Accton ES3528M-SFP Management Guide Fast Ethernet Switch www.edge-core.
Management Guide Fast Ethernet Switch Layer 2 Workgroup Switch with 24 100BASE-BX (SFP) Ports, 2 1000BASE-T (RJ-45) and 2 Combination Gigabit (RJ-45/SFP) Ports
ES3528M-SFP E012008-DG-R01 149100035500A
About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
vi
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-6 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Saving Con
Contents Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging Displaying Log Messages System Log Configuration Remote Log Configuration Simple Mail Transfer Protocol Resetting the System Setting the System Clock Setting the Time Manually Configuring SNTP Configuring NTP Setting the Time Zone Simple Network Management Protocol Setting Community Access Strings Specifying Trap Managers and Trap Types Enabling
Contents Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Configuring Port Security Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Contents Setting Static Addresses Displaying the Address Table Changing the Aging Time Spanning Tree Algorithm Configuration Displaying Global Settings Configuring Global Settings Displaying Interface Settings Configuring Interface Settings Configuring Multiple Spanning Trees Displaying Interface Settings for MSTP Configuring Interface Settings for MSTP VLAN Configuration IEEE 802.
Contents Selecting the Queue Mode Setting the Service Weight for Traffic Classes Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Enabling IP DSCP Priority Mapping DSCP Priority Quality of Service Configuring Quality of Service Parameters Configuring a Class Map Creating QoS Policies Attaching a Policy Map to Ingress Queues VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Port Configuring Telephony OUI Multicast Filtering Layer 2 IGMP (Snooping and Query) Co
Contents Cluster Member Configuration Cluster Member Information Cluster Candidate Information UPnP UPnP Configuration 3-242 3-243 3-243 3-245 3-245 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Comman
Contents reload reload cancel show reload end exit quit System Management Commands Device Designation Commands prompt hostname Banner banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner User Access Commands username enable password IP Filter Commands manageme
Contents ip ssh save host-key show ip ssh show ssh show public-key Event Logging Commands logging on logging history logging host logging facility logging trap clear logging show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp ntp client ntp server ntp poll ntp authenticate ntp authentication-key show ntp clock tim
Contents jumbo frame Flash/File Commands copy delete dir whichboot boot system Authentication Commands Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server acct-port radius-server auth-port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key tacacs-server retransmit tacacs-server timeout show tacacs-server AAA Commands aaa group server server aaa
Contents dot1x port-control dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period dot1x intrusion-action show dot1x Network Access – MAC Address Authentication network-access mode network-access max-mac-count mac-authentication intrusion-action mac-authentication max-mac-count network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection l
Contents ip access-group show ip access-group MAC ACLs access-list mac permit, deny (MAC ACL) show mac access-list mac access-group show mac access-group ACL Information show access-list show access-group SNMP Commands snmp-server show snmp snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user Interface Commands interfa
Contents Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time LLDP Commands lldp lldp holdtime-multiplier lldp medFastStartCount lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp notif
Contents show lldp info remote-device show lldp info statistics UPnP Commands upnp device upnp device ttl upnp device advertise duration show upnp Spanning Tree Commands spanning-tree spanning-tree mode spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit spanning-tree mst-configuration mst vlan mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-pr
Contents vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring IEEE 802.
Contents match policy-map class set police service-policy show class-map show policy-map show policy-map interface Voice VLAN Commands voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan rule switchport voice vlan security switchport voice vlan priority show voice vlan Multicast Filtering Commands IGMP Snooping Commands ip igmp snooping ip igmp snooping vlan static ip igmp snooping version ip igmp snooping leave-proxy ip igmp snooping immediate-leave show ip igmp s
Contents show ip igmp profile show ip igmp throttle interface Multicast VLAN Registration Commands mvr (Global Configuration) mvr (Interface Configuration) show mvr IP Interface Commands ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping IP Source Guard Commands ip source-guard ip source-guard binding show ip source-guard show ip source-guard binding DHCP Snooping Commands ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust ip dhcp snooping verify mac-address ip
Contents Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs B-1 B-1 B-2 Glossary Index xvii
Contents xviii
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Table 4-21 Table 4-22 Table 4-23 Table 4-24 Table 4-25 Table 4-26 Table 4-27 Key Features System Defaults Configuration Options Main Menu
Tables Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-56 Table 4-57 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-71 Table 4-72 Table 4-73 xx File D
Tables Table 4-74 Table 4-75 Table 4-76 Table 4-77 Table 4-78 Table 4-79 Table 4-80 Table 4-81 Table 4-82 Table 4-83 Table 4-84 Table 4-85 Table 4-86 Table B-1 Multicast Filtering Commands IGMP Snooping Commands IGMP Query Commands (Layer 2) Static Multicast Routing Commands IGMP Filtering and Throttling Commands Multicast VLAN Registration Commands show mvr - display description show mvr interface - display description show mvr members - display description IP Interface Commands IP Source Guard Commands D
Tables xxii
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Home Pag
Figures Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84
Figures Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 Figure 3-116 Figure 3-117 Figure 3-118 Figure 3-119 Figure 3-120 Figure 3-121 Figure 3-122 Figure 3-123 Figure 3-124 Figure 3-125 Figure 3-126 Figure 3-
Figures Figure 3-133 Figure 3-134 Figure 3-135 Figure 3-136 Figure 3-137 Figure 3-138 Figure 3-139 Figure 3-140 Figure 3-141 Figure 3-142 Figure 3-143 Figure 3-144 Figure 3-145 Figure 3-146 Figure 3-147 Figure 3-148 Figure 3-149 Figure 3-150 Figure 3-151 Figure 3-152 Figure 3-153 Figure 3-154 Figure 3-155 Figure 3-156 Figure 3-157 xxvi Static Multicast Router Port Configuration IP Multicast Registration Table IGMP Member Port Table Enabling IGMP Filtering and Throttling IGMP Profile Configuration IGMP Fil
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features Feature Description IP Clustering Supports up to 36 Member switches in a cluster Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network.
Description of Software Features 1 Rate Limiting – This feature controls the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port.
1 Introduction seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
Description of Software Features 1 Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.
1 Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-21). The following table lists some of the basic system defaults.
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Protection Status Enabled (all ports) Broadcast Limit Rate 64 kbits per second Spanning Tree Algorithm Status Enabled, RSTP (Defaults: All values based on IEEE 802.
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged Levels 0-6 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled NTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled (all ports) IP Clustering Status Enabled Commander Disabled 1-8
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
2 • • • • Initial Configuration Configure up to 8 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
Basic Configuration 2 Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.
Basic Configuration 2 The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Managing System Files 2 Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: • Configuration — This file stores system configuration information and is created when configuration settings are saved.
2 2-10 Initial Configuration
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
3 Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Panel Display 3 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system. Help Links directly to webhelp. Notes: 1.
3 Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-43 Users Configures SNMP v3 users on this switch 3-43 Remote Users Configures SNMP v3 users from a remote device 3-45 Groups Configures SNMP v3 groups 3-46 Views Configures SNMP v3 views 3-49 Security 3-51 User Accounts Assigns a new password for the current user 3-51 Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-53
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Information Displays global configuration settings for 802.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Port Neighbors Information Displays settings and operational state for the remote side Page 3-124 Port Broadcast Control Sets the broadcast storm threshold for each port 3-125 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-125 Mirror Port Configuration Sets the source and target ports for mirroring 3-127 Input Port Configuration Sets the input rate limit for each port 3-128 Input Trunk Configuration
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page GVRP Status Enables GVRP on the switch 3-158 802.1Q Tunnel Configuration Enables 802.
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Remote Port Information Displays LLDP information about a remote device connected to a port on this switch 3-187 Remote Trunk Information Displays LLDP information about a remote device connected to a trunk on this switch 3-187 Remote Information Details Displays detailed LLDP information about a remote device connected to this switch 3-188 Device Statistics Displays LLDP statistics for all connected remote devices 3-189 Devi
3 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast router 3-217 IP Multicast Registration Table Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID 3-218 IGMP Member Port Table Indicates multicast addresses associated with the selected VLAN 3-219 IGMP Filter Profile Configuration Configures IGMP Filter Profiles 3-220
Main Menu 3 Table 3-2 Main Menu (Continued) Menu Description Page Member Configuration Adds switch Members to the cluster 3-242 Member Information Displays cluster Member switch information 3-243 Candidate Information Displays network Candidate switch information 3-243 UPNP Configuration 3-245 Enables UPNP and defines timeout values 3-245 3-11
3 Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location. Contact – Administrator responsible for the system. System Up Time – Length of time the management agent has been up.
Basic Configuration 3 CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-27 Console(config)#snmp-server location WC 9 4-152 Console(config)#snmp-server contact Ted 4-152 Console(config)#exit Console#show system 4-81 System description : ES3528M-SFP System OID string : 1.3.6.1.4.1.259.8.1.4 System information System Up time : 0 days, 0 hours, 14 minutes, and 32.
3 Configuring the Switch Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version Unit 1 Serial number: Hardware version: EPLD Version: Number of ports: Main power status: Redundant power status: 4.04 28 Up Not present Agent (master) Unit ID: Loader version: Boot ROM version: Operation code version: 1 0.0.0.5 0.0.0.8 0.0.1.
Basic Configuration 3 Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
3 Configuring the Switch CLI – Enter the following command. Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: Extended multicast filtering services: Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Global GVRP status: GMRP: Console# 4-239 256 4092 No Yes IVL Yes No Enabled Disabled Disabled Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network.
3 Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.1 255.255.255.
3 Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
3 Basic Configuration Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI – Enter the following command to restart DHCP service. Console#ip dhcp restart Console# 4-311 Enabling Jumbo Frames You can enable jumbo frames to support data packets up to 9000 bytes in size.
3 Configuring the Switch • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch.
Basic Configuration 3 To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names.
3 Configuring the Switch - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config – Copies a file from a TFTP server to the startup config. • TFTP Server IP Address – The IP address of a TFTP server. • File Type – Specify config (configuration) to copy configuration settings.
Basic Configuration 3 Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.
3 • • • • • Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded. (Range: 0-65535; Default: 0) Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port.
3 Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
3 Configuring the Switch • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Password2 – Specifies a password for the line connection.
3 Basic Configuration CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
3 Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e.
Basic Configuration 3 The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RAM. Command Attributes • System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
3 Configuring the Switch CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
3 Basic Configuration Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-18 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
3 Configuring the Switch • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start. (Level 5) • Warning – Sends notification of a warning condition such as return false, or unexpected return. (Level 4) • Error – Sends notification that an error conditions has occurred, such as invalid input, or default used.
Basic Configuration 3 CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging Console(config)#logging Console(config)#logging bill@this-company.com Console(config)#logging ted@this-company.com Console(config)#logging Console# sendmail host 192.168.1.
3 Configuring the Switch CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch. Console#reload System will be restarted, continue ? y 4-23 Note: When restarting the system, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory (See “Saving or Restoring Configuration Settings” on page 3-21 or the copy running-config startup-config command (See “copy” on page 4-84)).
Basic Configuration 3 Figure 3-21 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.
3 Configuring the Switch • Authenticate Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. The authentication key must match the key configured on the NTP server. • Key Number – A number that specifies a key value in the NTP Authentication Key List. Up to 255 keys can be configured in the NTP Authentication Key List. Note that key numbers and values must match on both the server and client.
Basic Configuration 3 CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.
3 Configuring the Switch Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC using either a predefined or custom definition, and click Apply. Figure 3-23 Setting the System Clock CLI - This example shows how to set the time zone for the system clock using one of the predefined time zone configurations.
3 Simple Network Management Protocol Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3.
3 Configuring the Switch • Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only), “private” (read/write) Range: 1-32 characters, case sensitive • Access Mode - Read-Only – Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. - Read/Write – Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects.
Simple Network Management Protocol 3 • Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (The default is version 1.) • Trap Security Level – Specifies the security level. • Enable Authentication Traps – Issues a trap message whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps – Issues a trap message whenever a port link is established or broken.
3 Configuring the Switch Web – Click SNMP, Agent Status. Figure 3-26 Enabling SNMP Agent Status Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e.
3 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Engine ID. Figure 3-27 Setting an Engine ID Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
3 Configuring the Switch • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.) - AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).
3 Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
3 Configuring the Switch user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Engine ID – The engine identifier for the SNMP agent on the remote device where the remote user resides.
3 Simple Network Management Protocol Command Attributes • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the group: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.
3 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state). This other state is indicated by the included value of ifOperStatus. authenticationFailure 1.3.6.1.6.3.1.1.5.
Simple Network Management Protocol 3 Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete. Figure 3-31 Configuring SNMPv3 Groups Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
3 Configuring the Switch • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
3 User Authentication User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
3 Configuring the Switch Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-33 Access Levels CLI – Assign a user name to access-level 15 (i.e.
User Authentication 3 Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
3 Configuring the Switch Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.
User Authentication 3 Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.
3 Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server auth-port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
3 User Authentication Configuring Encryption Keys The Encryption Key feature provides a central location for the management of all RADIUS and TACACS+ server encryption keys. Command Attributes • RADIUS Settings - Global – Provides globally applicable RADIUS encryption key settings. - ServerIndex – Specifies one of five RADIUS servers for which an encryption key may be configured. - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
3 Configuring the Switch AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. • Authorization — Determines if users can access specific services. • Accounting — Provides reports, auditing, and billing for services that users have accessed on the network.
User Authentication 3 Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) • Server Index - Spefies the RADIUS server and sequence to use for the group.
3 Configuring the Switch Web – Click Security, AAA, TACACS+ Group Settings. Enter the TACACS+ group name, followed by the number of the server, then click Add. Figure 3-37 AAA TACACS+ Group Settings CLI – Specify the group name for a list of TACACS+ servers, and then specify the index number of a TACACS+ server to add it to the group.
3 User Authentication Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-38 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters.
3 Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web – Click Security, AAA, Accounting, Periodic Update. Enter the required update interval and click Apply.
3 User Authentication Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-40 AAA Accounting 802.1X Port Settings CLI – Specify the accounting method to apply to the selected interface. Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps-method Console(config-if)# 4-106 AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels.
3 Configuring the Switch Web – Click Security, AAA, Accounting, Command Privileges. Enter a defined method name for console and Telnet privilege levels. Click Apply. Figure 3-41 AAA Accounting Exec Command Privileges CLI – Specify the accounting method to use for console and Telnet privilege levels.
User Authentication 3 AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply. Figure 3-42 AAA Accounting Exec Settings CLI – Specify the accounting method to use for Console and Telnet interfaces.
3 Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-43 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users.
User Authentication 3 Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type Username Interface Time elapsed : exec : admin : vty 0 since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services. Command Attributes • Method Name – Specifies an authorization method for service requests.
3 Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
User Authentication 3 Web – Click Security, AAA, Authorization, Summary. Figure 3-46 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
3 Configuring the Switch • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-47 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number.
User Authentication 3 • Source Certificate File Name – Specifies the name of certificate file as stored on the TFTP server. • Source Private File Name – Specifies the name of the private key file as stored on the TFTP server. • Private Password – The password for the private key file. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate.
3 Configuring the Switch SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered. Note: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. Note: The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
User Authentication 3 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
3 Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
User Authentication 3 CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-47 Console(config)#ip ssh timeout 100 4-48 Console(config)#ip ssh authentication-retries 5 4-48 Console(config)#ip ssh server-key size 512 4-49 Console(config)#end Console#show ip ssh 4-51 SSH Enabled - version 2.
3 Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-50 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
3 User Authentication not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication. Field Attributes • Public-Key of user – The RSA and DSA public keys for the selected user. - RSA: The first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 37), and the last string is the encoded modulus. - DSA: The first field indicates that SSH version 2 was used to create the key.
3 Configuring the Switch Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key.
User Authentication 3 CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2. DSA: <1-2>: 2 Source file name: admin-ssh2-dsa-pub.key Username: admin TFTP Download Success. Write to FLASH Programming. Success.
3 Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
3 User Authentication Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
3 Configuring the Switch This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. 3. Client sends back identity information. RADIUS user identity and access 4. Switch forwards this to authentication server. server 5. Authentication server challenges client. rights.
User Authentication 3 Displaying 802.1X Global Settings The 802.1X protocol provides client authentication. Command Attributes • 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-53 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 4-117 802.1X Port Summary Port Name Status 1/1 disabled 1/2 disabled . . . 802.
3 Configuring the Switch Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-54 802.1X Global Configuration CLI – This example enables 802.1X globally for the switch. Console(config)#dot1x system-auth-control Console(config)# 4-112 Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
User Authentication 3 • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) • Intrusion Action – Sets the port’s response to a failed authentication. - Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.
3 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-117.
3 User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
3 Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-56 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4.
User Authentication 3 Notes: 1. MAC authentication, web authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied. 2. RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication” on page 3-53) 3. Web authentication cannot be configured on trunk ports.
3 Configuring the Switch CLI – This example globally enables the system authentication control, configures the session timeout, quiet period and login attempts, and displays the configured global parameters.
User Authentication 3 CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters.
3 Configuring the Switch Web – Click Security, Web Authentication, Port Information. Figure 3-59 Web Authentication Port Information CLI – This example displays web authentication parameters for port 1/5.
User Authentication 3 CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 Failed to reauth . Console# 4-135 Network Access – MAC Address Authentication Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
3 Configuring the Switch Configuring the MAC Authentication Reauthentication Time MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Command Attributes • Authenticated Age – The secure MAC address table aging time. This parameter setting is the same as switch MAC address table aging time and is only configurable from the Address Table, Aging Time web page (see page 3-136).
User Authentication 3 • Maximum MAC Count – Sets the maximum number of MAC addresses that can be authenticated on a port. The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed. (Default: 2048; Range: 1 to 2048) • Guest VLAN – Specifies the VLAN to be assigned to the port when MAC Authentication or 802.1X Authentication fails.
3 Configuring the Switch CLI – This example configures MAC authentication for port 1.
User Authentication 3 Web – Click Security, Network Access, Port Link Detection Configuration. Modify the Status, Condition and Action. Click Apply. Figure 3-63 Network Access Port Link Detection Configuration CLI – This example configures Port Link Detection to send an SNMP trap for all link events on port 1.
3 Configuring the Switch • Attribute – Indicates a static or dynamic address. • Remove – Click the Remove button to remove selected MAC addresses from the secure MAC address table. Web – Click Security, Network Access, MAC Address Information. Restrict the displayed addresses by port, MAC Address, or attribute, then select the method of sorting the displayed addresses. Click Query.
3 Access Control Lists • Status – Indicates whether MAC Authentication is enabled or disabled for the port. See “Configuring MAC Authentication for Ports” on page 3-94. The following parameters are unavailable for modification if MAC Authentication is not enabled for the port. • Max MAC Count – The maximum allowed amount of MAC authenticated MAC addresses on the port. (Default: 1024; Range: 1-1024) • Intrusion Action – The switch can respond in two ways to an intrusion.
3 Configuring the Switch Configuring Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule.
Access Control Lists 3 Figure 3-66 Selecting ACL Type CLI – This example creates a standard IP ACL named david. Console(config)#access-list ip standard david Console(config-std-acl)# 4-139 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address.
3 Configuring the Switch Figure 3-67 Configuring Standard IP ACLs CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# 4-140 Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules.
Access Control Lists 3 • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
Access Control Lists 3 Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
3 Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
Access Control Lists 3 Command Attributes • • • • Port – Fixed port or SFP module. (Range: 1-28) IP – Specifies the IP ACL to bind to a port. MAC – Specifies the MAC ACL to bind to a port. IN – ACL for ingress packets. Web – Click Security, ACL, Port Binding. Click Edit to open the configuration page for the ACL type. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply.
3 • • • • • Configuring the Switch an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. IP address can be configured for SNMP, web and Telnet access respectively.
3 Access Control Lists Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-71 Creating an IP Filter List CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.
3 Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • • Name – Interface label. Type – Indicates the port type. (100BASE-FX, 1000BASE-T, or SFP) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
Port Configuration 3 Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-FX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-16.) Configuration: • • • • • • • • • • • Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex – Shows the current speed and duplex mode.
3 Configuring the Switch CLI – This example shows the connection status for Port 5.
3 Port Configuration (Default: Autonegotiation enabled; Advertised capabilities for 100BASE-FX – 100full; 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; 1000BASE-SX/ LX/LH – 1000full) • Media Type – Media type used for the combo ports. (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-114. Notes: 1.
3 Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to eight trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
Port Configuration 3 Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
3 Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
3 Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
3 Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
Port Configuration 3 - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-65535; Default: 1) • Port Priority – If a link goes down, LACP port priority is used to select a backup link.
3 Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lacp actor system-priority 3 4-183 Console(config-if)#lacp actor admin-key 120 4-184 Console(config-if)#lacp actor port-priority 128 4-186 Console(config-if)#exit . . .
Port Configuration 3 Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
3 Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Interval Number of seconds before invalidating received LACPDU information.
Port Configuration 3 Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-78 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
3 Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol.
Port Configuration 3 CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
3 Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-80 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Port Configuration 3 Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
3 Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
3 Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
3 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. Transmit Errors The number of outbound packets that could not be transmitted because of errors.
3 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
3 Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
3 Address Table Settings CLI – This example shows statistics for port 13.
3 Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-84 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Address Table Settings 3 Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-85 Configuring a Dynamic Address Table CLI – This example also displays the address table entries for port 1.
3 Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-86 Setting the Address Aging Time CLI – This example sets the aging time to 300 seconds.
3 Spanning Tree Algorithm Configuration ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
3 Configuring the Switch MSTP then builds a Internal Spanning Tree (IST) for the Region containing all commonly configured MSTP bridges. An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 3-149). An MST Region may contain multiple MSTP Instances.
3 Spanning Tree Algorithm Configuration • Bridge ID – A unique identifier for this bridge, consisting of the bridge priority and MAC address (where the address is taken from the switch system). • Max Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals.
3 Configuring the Switch configuration message), a new root port is selected from among the device ports attached to the network. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) • Root Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Spanning Tree Algorithm Configuration 3 Note: The current root port and current root cost display as zero when this device is not connected to the network. Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol9 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network.
3 Configuring the Switch • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
Spanning Tree Algorithm Configuration 3 • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name – The name for this MSTI.
3 Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters.
Spanning Tree Algorithm Configuration 3 by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-147. • Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3-147 (i.e., true or false), but will be set to false if a BPDU is received, indicating that another bridge is attached to this port.
3 • • • • Configuring the Switch Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. Fast forwarding – This field provides the same information as Admin Edge port, and is only included for backward compatibility with earlier products.
Spanning Tree Algorithm Configuration 3 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin status: enabled Role: disable State: discarding Path cost: 10000 Priority: 128 Designated cost: 0 Designated port : 128.5 Designated root: 32768.0012CF0B0D00 Designated bridge: 32768.
3 Configuring the Switch Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
3 Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-90 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7.
3 Configuring the Switch Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440; Default: 32768) • VLANs in MST Instance – VLANs assigned to this instance. • MST ID – Instance identifier to configure.
Spanning Tree Algorithm Configuration 3 CLI – This example sets STA attributes for port 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.
3 Configuring the Switch Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values.
3 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree.
3 Configuring the Switch - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding – Port forwards packets, and continues learning addresses. • Trunk – Indicates if a port is a member of a trunk.
3 VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-93 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if) VLAN Configuration IEEE 802.
3 Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Note: The switch allows 255 user-manageable VLANs.
VLAN Configuration 3 Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.
3 Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged VLANs, but are only allowed one untagged VLAN. Each port on the switch is capable of passing tagged or untagged frames.
3 VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number10 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information.
3 Configuring the Switch • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-96 Displaying Current VLANs Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4092, no leading zeroes).
3 VLAN Configuration CLI – Current VLAN information can be displayed with the following command.
3 Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-97 Configuring a VLAN Static List CLI – This example creates a new VLAN.
VLAN Configuration 3 Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
3 Configuring the Switch Figure 3-98 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2.
VLAN Configuration 3 Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
3 Configuring the Switch or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer9 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
VLAN Configuration 3 CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
3 Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network. The packet is sent as a normal IEEE 802.
3 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
3 Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
VLAN Configuration 3 Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. Command Usage • Use the TPID field to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames. For example, if 0x1234 is set as the custom 802.
3 Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. 4-251 Console(config)#dot1q-tunnel system-tunnel-control Console(config)#exit Console#show dot1q-tunnel 4-253 Current double-tagged status of the system is Enabled The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel . . .
3 VLAN Configuration Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-102 Tunnel Port Configuration CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode.
3 Configuring the Switch contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN. Isolated VLANs, on the other hand, consist a single stand-alone VLAN that contains one promiscuous port and one or more isolated (or host) ports.
3 VLAN Configuration Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-103 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
3 Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted. Figure 3-104 Private VLAN Configuration CLI – This example configures VLAN 5 as a primary VLAN, and VLAN 6 as a community VLAN.
3 VLAN Configuration CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database Console(config-vlan)#private-vlan 5 association 6 Console(config-vlan)#private-vlan 5 association 7 Console(config)# 4-242 4-256 4-256 Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs. Command Attributes • Port/Trunk – The switch interface.
3 Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
3 VLAN Configuration Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply. Figure 3-107 Private VLAN Port Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6.
3 Configuring the Switch • Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. • Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, and RARP. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw Note: Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN (VLAN 1) that has been configured with the switch’s administrative IP.
Link Layer Discovery Protocol 3 Web – Click VLAN, Protocol VLAN, System Configuration. Figure 3-109 Protocol VLAN System Configuration CLI – This example shows the switch configured with Protocol Group 2 mapped to VLAN 2. Console(config)#protocol-vlan protocol-group 2 vlan 2 Console(config)# 4-262 Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
3 Configuring the Switch Command Attributes • LLDP – Enables LLDP globally on the switch. (Default: Enabled) • Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) This attribute must comply with the following rule: (transmission-interval * holdtime-multiplier) ≤ 65536 • Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below.
Link Layer Discovery Protocol 3 critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters as required, and click Apply. Figure 3-110 LLDP Configuration CLI – This example sets several attributes which control basic LLDP message timing.
3 Configuring the Switch Command Attributes • Admin Status – Enables LLDP message transmit and receive modes for LLDP Protocol Data Units. (Options: Tx only, Rx only, TxRx, Disabled; Default: TxRx) • SNMP Notification – Enables the transmission of SNMP trap notifications about LLDP and LLDP-MED changes. (Default: Enabled) This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section.
Link Layer Discovery Protocol 3 configure the system name, see “Displaying System Information” on page 3-12. - System Capabilities – The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. • MED TLV Type – Configures the information included in the MED TLV field of advertised messages.
3 Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise.
3 Link Layer Discovery Protocol CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-212 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : Model ABC123 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.
3 Configuring the Switch CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP.
Link Layer Discovery Protocol 3 CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
3 Configuring the Switch CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-213 LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
Class of Service Configuration 3 CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch.
3 Configuring the Switch Command Attributes • Default Priority12 – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-117 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3.
3 Class of Service Configuration Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table. Table 3-12 Mapping CoS Values to Egress Queues Queue 0 1 2 3 Priority 1,2 0,3 4,5 6,7 The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table.
3 Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-118 Traffic Classes CLI – The following example shows how to change the CoS assignments.
3 Class of Service Configuration Web – Click Priority, Traffic Classes Status. Figure 3-119 Enable Traffic Classes Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
3 Configuring the Switch Values to Egress Queues” on page 3-192, the traffic classes are mapped to one of the eight egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue will be polled for service, and subsequently affects the response time for software applications assigned a specific priority value. Note: This switch does not allow the queue service weights to be set.
3 Class of Service Configuration a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Because different priority information may be contained in the traffic, this switch maps priority values to the output queues in the following manner: • The precedence for priority mapping is IP DSCP Priority, and then Default Port Priority. Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority.
3 Configuring the Switch Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
3 Quality of Service CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)#end Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled 4-269 4-166 4-270 4-271 Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
3 Configuring the Switch 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-205). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the “Class Map” to designate a class name for a specific category of traffic. 2.
Quality of Service 3 • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map.
3 Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-124 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.
Quality of Service 3 Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-200. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
3 Configuring the Switch Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-200). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
Quality of Service 3 Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
3 Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
VoIP Traffic Configuration 3 VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single Voice VLAN. The use of a Voice VLAN has several advantages.
3 Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-127 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
VoIP Traffic Configuration 3 address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “Link Layer Discovery Protocol” on page 3-181 for more information on LLDP. • Priority – Defines a CoS priority for the port traffic on the Voice VLAN.
3 Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status.
VoIP Traffic Configuration 3 Configuring Telephony OUI VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
3 Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
3 Multicast Filtering these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources. IGMPv3 hosts may also request that service be forwarded from all sources except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Notes: 1.
3 Configuring the Switch the multicast filtering table is already full, the switch will continue flooding the traffic into the VLAN. • IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier” and assumes the role of querying the LAN for group members.
3 Multicast Filtering Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-130 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
3 Configuring the Switch is determined by the IGMP Query Report Delay (see “Configuring IGMP Snooping and Query Parameters” on page 3-213). • If immediate leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
3 Multicast Filtering support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router/switch for each VLAN ID. Command Attributes • VLAN ID – ID of configured VLAN (1-4093).
3 Configuring the Switch • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
3 Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-134 IP Multicast Registration Table CLI – This example displays all the known multicast services supported on VLAN 1, along with the ports propagating the corresponding services.
3 Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
3 Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
3 Configuring the Switch CLI – This example enables IGMP filtering and creates a profile number. It then displays the current status and the existing profile numbers. Console(config)#ip igmp filter Console(config)#ip igmp profile 19 Console(config)#end Console#show ip igmp profile IGMP Profile 19 IGMP Profile 25 Console# 4-298 4-298 4-302 Configuring IGMP Filter Profiles When you have created an IGMP profile number, you can then configure the multicast groups to filter and set the access mode.
Multicast Filtering 3 Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list. Click Apply. Figure 3-137 IGMP Profile Configuration CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join.
3 Configuring the Switch • An IGMP profile or throttling setting can also be applied to a trunk interface. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”.
Multicast VLAN Registration 3 CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed.
3 Configuring the Switch Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 3-226). 2.
Multicast VLAN Registration 3 • MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied. • MVR VLAN – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR. (Range: 1-4093; Default: 1) • MVR Group IP – IP address for an MVR multicast group. The IP address range of 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
3 Configuring the Switch • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. • Immediate Leave – Shows if immediate leave is enabled or disabled. • Trunk Member15 – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Information.
3 Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-141 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr MVR Group IP ---------------225.0.0.1 225.0.0.2 225.0.0.3 225.0.0.4 225.0.0.5 225.0.0.6 225.0.0.7 225.0.0.8 225.0.0.9 225.0.0.
3 Configuring the Switch • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
3 Multicast VLAN Registration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
3 Configuring the Switch CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 Console(config-if)#mvr group 228.1.23.1 Console(config-if)# 4-305 DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
DHCP Snooping 3 If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
3 Configuring the Switch Web – Click DHCP Snooping, VLAN Configuration. Figure 3-145 DHCP Snooping VLAN Configuration CLI – This example first enables DHCP Snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# 4-319 DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
DHCP Snooping 3 Web – Click DHCP Snooping, Information Option Configuration. Figure 3-146 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace. Console(config)#ip dhcp snooping information option Console(config)#ip dhcp snooping information policy replace Console(config)# 4-321 4-322 DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted.
3 Configuring the Switch CLI – This example shows how to enable the DHCP Snooping Trust Status for ports. Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust Console(config-if)# 4-320 DHCP Snooping Binding Information Displays the DHCP snooping binding information. Command Attributes • • • • • • • • No. – Entry number for DHCP snooping binding information. Unit – Stack unit. Port – Port number.
3 IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-232). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
3 Configuring the Switch CLI – This example shows how to enable IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)#end Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . . 4-313 4-316 Static IP Source Guard Binding Configuration Adds a static addresses to the source-guard binding table.
IP Source Guard 3 Web – Click IP Source Guard, Static Configuration. Figure 3-150 Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config)# 4-315 Dynamic IP Source Guard Binding Information Displays the source-guard binding table for a selected interface.
3 Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-151 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5. Console#show ip source-guard binding 4-316 MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.
IP Clustering 3 switches only become cluster Members when manually selected by the administrator through the management station. After the Commander and Members have been configured, any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu. From the Commander CLI prompt, use the “rcommand” command (see page 4-327) to connect to the Member switch.
3 Configuring the Switch Web – Click Cluster, Configuration. Figure 3-153 Cluster Configuration CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster Console(config)#cluster commander Console(config)#cluster ip-pool 10.2.3.4 Console(config)# 4-324 4-325 4-326 Cluster Member Configuration Adds Candidate switches to the cluster as Members.
3 IP Clustering CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# 4-326 Cluster Member Information Displays current cluster Member switch information. Command Attributes • Member ID – The ID number of the Member switch. (Range: 1-36) • Role – Indicates the current status of the switch in the cluster.
3 Configuring the Switch Web – Click Cluster, Candidate Information. Figure 3-156 Cluster Candidate Information CLI – This example shows information about cluster Candidate switches.
UPnP 3 UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. The first step in UPnP networking is discovery. When a device is added to the network, the UPnP discovery protocol allows that device to broadcast its services to control points on the network.
3 Configuring the Switch CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface display a list of valid keywords for a specific command.
Entering Commands 4 The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.
4 Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
4 Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
4 Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . .
Entering Commands 4 Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
4 Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below.
4 Line Commands Table 4-4 Command Groups (Continued) Command Group Description Page IP Cluster Configures IP clustering 4-324 UPnP Configures UPnP settings 4-324 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) SG (Server Group) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configur
4 Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users.
4 Line Commands - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting). When using this method, the management interface starts in Normal Exec (NE) or Privileged Exec (PE) mode, depending on the user’s privilege level (0 or 15 respectively).
4 Command Line Interface during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-12) password-thresh (4-15) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default.
Line Commands 4 Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled.
4 Command Line Interface Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. • This command applies to both the local console and Telnet connections.
Line Commands 4 Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
4 Command Line Interface Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Line Commands 4 Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection.
4 Command Line Interface Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands Table 4-6 General Commands Command Function Mode Page enable Activates privileged mode NE 4-20 disable Ret
4 General Commands The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. Enter level 15 to access Privileged Exec mode. Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-38.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
4 Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration. See “Understanding Command Modes” on page 4-5.
4 General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# reload This command restarts the system.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to cancel a configured delayed reset of the switch: Console#reload cancel Console# show reload This command displays the remaining time until a pending delayed reset will take place.
General Commands 4 exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program.
4 Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
System Management Commands 4 Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host.
4 Command Line Interface Table 4-9 Banner Commands Command Function Mode Page banner configure equipment-location Configures the Equipment Location information that is displayed GC by banner 4-32 banner configure ip-lan Configures the IP and LAN information that is displayed by banner GC 4-32 banner configure lp-number Configures the LP Number information that is displayed by banner GC 4-33 banner configure manager-info Configures the Manager contact information that is displayed by GC ban
System Management Commands 4 Example Console(config)#banner configure Company: Edgecore Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St.
4 Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
System Management Commands 4 Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure department command interprets spaces as data input boundaries.
4 Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
System Management Commands 4 ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.
4 Command Line Interface banner configure manager-info This command allows the administrator to configure the manager contact information displayed in the banner. Use the no form to remove the manager contact information from the banner display. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
System Management Commands 4 no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
4 Command Line Interface Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmwareupgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected Console(config)# show banner This command displays all banner information.
4 System Management Commands User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-11), user authentication via a remote authentication server (page 4-90), and host access authentication for specific ports (page 4-111).
4 Command Line Interface Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.
4 System Management Commands Related Commands enable (4-20) authentication enable (4-92) IP Filter Commands Table 4-12 IP Filter Commands Command Function management Configures IP addresses that are allowed management access GC Mode Page 4-39 show management Displays the switch to be monitored or configured from a browser 4-40 PE management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
4 Command Line Interface • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
System Management Commands 4 Web Server Commands Table 4-13 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC Page 4-41 ip http server Allows the switch to be monitored or configured from a browser GC 4-41 ip http secure-server Enables HTTPS for encrypted communications GC 4-42 ip http secure-port Specifies the UDP port number for HTTPS GC 4-43 ip http port This command specifies the TCP port number used by the web browse
4 Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-41) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
4 System Management Commands Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-43) copy tftp https-certificate (4-84) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
4 Command Line Interface Telnet Server Commands Table 4-15 Telnet Server Commands Command Function Mode ip telnet port Specifies the port to be used by the Telnet interface GC Page 4-41 ip telnet server Allows the switch to be monitored or configured from Telnet GC 4-41 ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
System Management Commands 4 Related Commands ip telnet port (4-44) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
4 Command Line Interface The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-91.
4 System Management Commands corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: a. b. c. The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
4 Command Line Interface ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
System Management Commands 4 Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-51) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
4 Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM).
System Management Commands 4 Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
4 Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
System Management Commands 4 show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
4 Command Line Interface Event Logging Commands Table 4-18 Event Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 4-54 logging history Limits syslog messages saved to switch memory based on severity GC 4-55 logging host Adds a syslog server host IP address that will receive logging messages GC 4-56 logging facility Sets the facility type for remote logging of syslog messages GC 4-56 logging trap Limits syslog messages saved to a remote server
4 System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
4 Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the level arguments listed below. Messages sent include the selected level up through level 0. (Refer to the table on page 4-55.
4 Command Line Interface Related Commands show logging (4-58) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
4 System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
4 Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [3] 00:00:54 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [2] 00:00:50 2001-01-01 "STA topology change notification.
4 System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
4 Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages.
System Management Commands 4 logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------1. 192.
4 Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
System Management Commands 4 Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). • This command enables client time requests to time servers specified via the sntp servers command. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.
4 Command Line Interface Example Console(config)#sntp server 10.1.0.19 Related Commands sntp client (4-64) sntp poll (4-66) show sntp (4-66) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
System Management Commands 4 Example Console#show sntp Current time: Dec 23 05:13:28 2002 Poll interval: 16 Current mode: unicast SNTP status : Enabled SNTP server 137.92.140.80 0.0.0.0 0.0.0.0 Current server: 137.92.140.80 Console# ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests.
4 Command Line Interface ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [version number] [key key-number] no ntp server [ip-address] • ip-address - IP address of an NTP time server. • number - The NTP version number supported by the server.
4 System Management Commands ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode. Use the no form to restore to the default. Syntax ntp poll seconds no ntp poll seconds - Interval between time requests.
4 Command Line Interface Example Console(config)#ntp authenticate Console(config)# Related Commands ntp authentication-key (4-70) ntp authentication-key This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] • number - The NTP authentication key ID number.
4 System Management Commands show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
4 Command Line Interface Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
System Management Commands 4 clock summer-time (date) This command allows the user to manually configure the start, end, and offset times of summer-time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer-time. Syntax clock summer-time name date b-month b-day b-year b-hour b-minute e-month e-day e-year e-hour e-minute offset no clock summer-time • name - Name of the time zone while summer-time is in effect, usually an acronym.
4 Command Line Interface Example Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console(config)# Related Commands show sntp (4-66) clock summer-time (predefined) This command configures the summer time (daylight savings time) status and settings for the switch using predefined configurations for several major regions of the world. Use the no form to disable summer time.
System Management Commands 4 Related Commands show sntp (4-66) clock summer-time (recurring) This command allows the user to manually configure the start, end, and offset times of summer-time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
4 Command Line Interface Example Console(config)#clock summer-time MESZ recurring 1 friday june 23 59 3 saturday september 2 55 60 Console(config)# Related Commands show sntp (4-66) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • • • • • hour - Hour in 24-hour format. (Range: 0-23) min - Minute.
System Management Commands 4 System Status Commands Table 4-25 System Status Commands Command Function Mode show startup-config Displays the contents of the configuration file (stored in flash memory) that is used to start up the system PE Page show running-config Displays the configuration data currently in use PE 4-78 show system Displays system information NE, PE 4-81 show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client
4 Command Line Interface Example Console#show startup-config building startup-config, please wait.....
System Management Commands 4 is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
4 Command Line Interface Example Console#show running-config building startup-config, please wait..... ! phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
4 System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: Model ABC123 System OID String: 1.3.6.1.4.1.259.8.1.
4 Command Line Interface Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.
4 System Management Commands Example Console#show version Unit1 Serial number: Service tag: Hardware version: Module A type: Module B type: Number of ports: Main power status: Redundant power status R01 1000BaseT 1000BaseT 28 up :not present Agent (master) Unit ID: Loader version: Boot ROM version: Operation code version: 1 2.2.1.4 2.2.1.8 2.2.7.
4 Command Line Interface • Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packets per second. (See the switchport broadcast command on page 4-172.) • The current setting for jumbo frames can be displayed with the show system command (page 4-81). Example Console(config)#jumbo frame Console(config)# Flash/File Commands These commands are used to manage the system code or configuration files.
Flash/File Commands 4 • https-certificate - Copies an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-45) • unit - Keyword that allows you to copy to/from a unit. Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command.
4 Command Line Interface Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming.
Flash/File Commands 4 This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success. Console# delete This command deletes a file or image.
4 Command Line Interface dir This command displays a list of files in flash memory. Syntax dir [unit:] {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • • • • • boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of the configuration file or code image. unit - Stack unit.
Flash/File Commands 4 whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Stack unit. (Range: 1) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot file name ------------------------------------Unit1: D2218 V2271 Factory_Default_Config.
4 Command Line Interface Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-88) whichboot (4-89) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
Authentication Commands 4 authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. • tacacs - Use TACACS server password. Default Setting Local Command Mode Global Configuration Command Usage • RADIUS uses UDP while TACACS+ uses TCP.
4 Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-20). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only. • tacacs - Use TACACS server password.
Authentication Commands 4 RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
4 Command Line Interface radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address} [auth-port auth_port] [acct-port acct_port] [timeout timeout] [retransmit retransmit] [key key] • index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
Authentication Commands 4 Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port port_number - RADIUS server UDP port used for authentication messages.
4 Command Line Interface Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Authentication Commands 4 show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings Communication key with RADIUS server: Server port number: 1812 Retransmit times: 2 Request timeout: 5 Sever 1: Server IP address: 192.168.1.
4 Command Line Interface Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) • host_ip_address - IP address of the server. • port_number - The TACACS+ server TCP port used for authentication messages. (Range: 1-65535) • timeout - Number of seconds the switch waits for a reply before resending a request.
4 Authentication Commands Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
4 Command Line Interface tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
4 Authentication Commands AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
4 Command Line Interface Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) • ip-address - Specifies the host IP address of a server.
4 Authentication Commands - radius - Specifies all RADIUS hosts configure with the radius-server host command described on page 4-94. - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101.
4 Command Line Interface - radius - Specifies all RADIUS hosts configure with the radius-server host command described on page 4-94. - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101.
4 Authentication Commands - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101. (Range: 1-255 characters) Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage • The accounting of Exec mode commands is only supported by TACACS+ servers.
4 Command Line Interface Example Console(config)#aaa accounting update periodic 30 Console(config)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x • default - Specifies the default method list created with the aaa accounting dot1x command (page 4-102).
Authentication Commands 4 Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# accounting commands This command applies an accounting method to entered CLI commands. Use the no form to disable accounting for entered commands. Syntax accounting commands level {default | list-name} no accounting commands level • level - The privilege level for executing commands.
4 Command Line Interface - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101. (Range: 1-255 characters) Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage • This command performs authorization to determine if a user is allowed to run an Exec shell.
4 Authentication Commands Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
4 Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Authentication Commands 4 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
4 Command Line Interface Table 4-35 802.
Authentication Commands 4 dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
4 Command Line Interface dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port.
Authentication Commands 4 Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication.
4 Command Line Interface dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Authentication Commands 4 dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
4 Command Line Interface - Status Operation Mode Mode Authorized – Administrative state for port access control. – Dot1x port control operation mode (page 4-114). – Dot1x port control mode (page 4-113). – Authorization status (yes or n/a - not authorized). • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled – Periodic re-authentication (page 4-115).
Authentication Commands - Identifier(Server) 4 – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. • Reauthentication State Machine - State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . .
4 Command Line Interface Network Access – MAC Address Authentication The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
Authentication Commands 4 Default Setting Disabled Command Mode Interface Configuration Command Usage • When enabled on a port interface, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The username and password are both equal to the MAC address being authenticated. • On the RADIUS server, PAP username and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
4 Command Line Interface count - The maximum number of authenticated MAC addresses allowed. (Range: 1 to 2048; 0 for unlimited) Default Setting 2048 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed.
4 Authentication Commands Default Setting 1024 Command Mode Interface Config Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# network-access dynamic-qos Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration Example The following example enables the dynamic QoS feature on port 1.
4 Command Line Interface • The VLAN settings specified by the first authenticated MAC address are implemented for a port. Other authenticated MAC addresses on the port must have same VLAN configuration, or they are treated as authentication failure. • If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success.
4 Authentication Commands Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access link-detection link-down Use this command to configure the link detection feature to detect and link down events. When a link down event is detected, the feature can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
4 Command Line Interface Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link-detection link-up-down Use this command to configure the link detection feature to detect link-up and link-down events. When either a link-up or link-down event is detected, the feature can shut down the port, send an SNMP trap, or both.
4 Authentication Commands Command Usage • The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected. Example Console(config)#mac-authentication reauth-time 300 Console(config)# clear network-access Use this command to clear entries from the secure MAC addresses table.
4 Command Line Interface Default Setting Displays the settings for all interfaces.
Authentication Commands 4 Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means "care" and a 0 means "don't care". For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out.
4 Command Line Interface Table 4-37 Web Authentication (Continued) Command Function web-auth quiet-period Defines the amount of time to wait after the limit for failed GC login attempts is exceeded.
4 Authentication Commands fail-url - The URL to which a host is directed after a failed web authentication attempt. Default Setting None Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware. Example Console(config)#web-auth login-fail-page-url http://www.example.com/fail/ Console(config)# web-auth login-page-url This command defines the external authentication page URL to which a host is directed to complete web authentication.
4 Command Line Interface success-url - The URL to which a host is directed after a successful web authentication login. Default Setting None Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware. Example Console(config)#web-auth login-success-page-url http://www.example.
4 Authentication Commands timeout - The amount of time that an authenticated session remains valid. (Range: 300-3600 seconds) Default Setting 3600 seconds Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default.
4 Command Line Interface Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active. Example Console(config-if)#web-auth Console(config-if)# show web-auth This command displays global web authentication parameters.
Authentication Commands 4 Command Mode Privileged Exec Example Console#show web-auth interface eth 1/2 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------Console# web-auth re-authenticate (Port) This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface • interface - Specifies a port interface.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Failed to reauth port. Console# show web-auth summary This command displays a summary of web authentication port parameters and statistics.
Authentication Commands 4 Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled 1/ 6 Disabled 1/ 7 Disabled 1/ 8 Disabled 1/ 9 Disabled 1/10 Disabled 1/11 Disabled 1/12 Disabled 1/13 Disabled 1/14 Disabled 1/15 Disabled 1/16 Disabled 1/17 Disabled 1/18 Disabled 1/19 Disabled 1/20 Disabled 1/21 Disabled 1/22 Disabled 1/23 Disabled 1/24 Disabled 1/25 Disabled 1/26 Disabled 1/27 Disabled 1/
4 Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port. Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria.
Access Control List Commands 4 IP ACLs Table 4-39 IP ACLs Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode GC 4-139 permit, deny Filters packets matching a specified source IP address STD-ACL 4-140 permit, deny EXT-ACL Filters packets meeting the specified criteria, including source and destination IP address, TCP/UDP port number, and protocol type 4-140 show ip access-list Displays the rules for configured IP ACLs PE 4-142 ip access-group Adds
4 Command Line Interface Related Commands permit, deny 4-140 ip access-group (4-142) show ip access-list (4-142) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match.
Access Control List Commands 4 Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] • • • • • • • • protocol-number – A specific protocol number.
4 Command Line Interface This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-139) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL.
Access Control List Commands 4 Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
4 Command Line Interface Table 4-40 MAC ACL Commands Command Function Mode Page mac access-group show mac access-group Adds a port to a MAC ACL IC 4-147 Shows port assignments for MAC ACLs PE 4-147 access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL.
4 Access Control List Commands permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] Note:- The default is for Ethernet II packets.
4 Command Line Interface Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060.
4 Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
4 Command Line Interface ACL Information Table 4-41 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-148 show access-group Shows the ACLs assigned to each port PE 4-148 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e.
SNMP Commands 4 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
4 Command Line Interface snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
SNMP Commands 4 Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2.
4 Command Line Interface • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
4 SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-152) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
4 Command Line Interface • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. • The snmp-server host command is used in conjunction with the snmp-server enable traps command.
4 SNMP Commands supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command. Otherwise, the authentication password and/or privacy password will not exist, and the switch will not authorize SNMP access for the host.
4 Command Line Interface conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-159). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-153) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
SNMP Commands 4 • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-162). Example Console(config)#snmp-server engine-id local 123456789 Console(config)#snmp-server engineID remote 987654321 192.168.1.
4 Command Line Interface snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) • oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
4 SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 4-44 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
4 Command Line Interface Default Setting • • • • Default groups: public19 (read only), private20 (read/write) readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. notifyview - Nothing is defined. Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
SNMP Commands 4 Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# 4-161
4 Command Line Interface Table 4-45 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View.
4 SNMP Commands Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-156) to specify the engine ID for the remote device where the user resides.
4 Command Line Interface show snmp user This command shows information on SNMP users.
SNMP Commands 4 4-165
4 Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
4 Interface Commands Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Command Line Interface • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-FX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Interface Commands 4 Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-169) speed-duplex (4-167) capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
4 Command Line Interface Example The following example configures Ethernet port 25 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/25 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-168) speed-duplex (4-167) flowcontrol (4-170) flowcontrol This command enables flow control. Use the no form to disable flow control.
4 Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-168) capabilities (flowcontrol, symmetric) (4-169) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
4 Command Line Interface switchport packet-rate This command configures broadcast and multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport broadcast packet-rate rate no switchport broadcast • broadcast - Specifies storm control for broadcast traffic. • rate - Threshold level as a rate; i.e., kilobits per second.
4 Interface Commands Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
4 Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100FX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 64 Kbits/second Flow control: Disabled Lacp: Disabled Port security: Disabled Max MAC count: 0 Port security action: None Current status: Link status: Up Port operation status: Up Operation sp
4 Interface Commands Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1 Ether-like stats: Alignment errors: 0, FCS errors: 0 Single Collision frames: 0, Multiple collision frames: 0
4 Command Line Interface Example This example shows the configuration setting for port 24.
Mirror Port Commands 4 Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-49 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session IC 4-177 show port monitor Shows the configuration for a mirror port PE 4-178 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
4 Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28) Default Setting Shows all sessions.
4 Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
4 Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
4 Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
4 Command Line Interface Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Link Aggregation Commands 4 Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established.
4 Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Link Aggregation Commands 4 • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
4 Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
4 Link Aggregation Commands Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
4 Command Line Interface Table 4-53 Field show lacp internal - display description Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
Link Aggregation Commands Table 4-54 4 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner. Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner.
4 Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
4 Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
4 Command Line Interface • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
LLDP Commands 4 Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
4 Command Line Interface Table 4-57 LLDP Commands (Continued) Command Function Mode lldp reinit-delay Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down GC 4-198 lldp tx-delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables GC 4-198 lldp admin-status Enables LLDP transmit, receive, or transmit and receive mode on the specified port IC 4-199 lldp notification
4 LLDP Commands Table 4-57 LLDP Commands (Continued) Command Function Mode Page lldp medtlv med-cap Configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities IC 4-209 lldp medtlv network-policy Configures an LLDP-MED-enabled port to advertise its network policy configuration IC 4-209 show lldp config Shows LLDP configuration settings for all ports PE 4-210 show lldp info local-device Shows LLDP global and interface-specific configuration settings for this de
4 Command Line Interface Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism.
4 LLDP Commands Default Setting 5 seconds Command Mode Global Configuration Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
4 Command Line Interface lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
4 LLDP Commands • This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. • tx-only - Only transmit LLDP PDUs.
4 Command Line Interface the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-153). • Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
4 LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature.
4 Command Line Interface Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
LLDP Commands 4 Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
4 Command Line Interface Syntax [no] lldp dot1-tlv proto-ident Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information.
LLDP Commands 4 Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-247). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name.
4 Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
4 LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands” on page 4-83 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities. Use the no form to disable this feature.
4 Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device does not support PoE capabilities.
LLDP Commands 4 Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
LLDP Commands 4 Example Console#show lldp config LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP LLDP Enable Transmit interval Hold Time Multiplier Delay Interval Reinit Delay Notification Interval MED fast start counts : : : : : : : Yes 30 4 2 2 5 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- ------------------Eth 1/1 | Tx-Rx True Eth 1/2 | Tx-Rx True Eth 1/3 | Tx-Rx True Eth 1/4 | Tx-Rx True Eth 1/5 | Tx-Rx True . . .
4 Command Line Interface show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 LLDP Commands show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example switch#show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 .
4 UPnP Commands UPnP Commands Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. Table 4-1. UPnP Commands Command Function Mode Page upnp device Enables/disables UPnP on the network GC 4-215 upnp device ttl Sets the time-to-live (TTL) value.
4 Command Line Interface upnp device ttl This command sets the time-to-live (TTL) value for sending of UPnP messages from the device. Syntax upnp device ttl {value} • value - The number of router hops a UPnP packet can travel before it is discarded. (Range:1-255) Default Setting 4 Command Mode Global Configuration Command Usage UPnP devices and control points must be within the local network, that is within the TTL value for multicast messages. Example In the following example, the TTL is set to 6.
Spanning Tree Commands 4 Related Commands upnp device ttl (4-216) show upnp This command displays the UPnP management status and time out settings. Command Mode Privileged Exec Example Console#show upnp UPnP global settings: Status: Advertise duration: TTL: Console# Enabled 200 20 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
4 Command Line Interface Table 4-58 Spanning Tree Commands (Continued) Command Function Mode spanning-tree spanning-disabled Disables spanning tree for an interface IC Page 4-227 spanning-tree cost Configures the spanning tree path cost of an interface IC 4-227 spanning-tree port-priority Configures the spanning tree priority of an interface IC 4-228 spanning-tree edge-port Enables fast forwarding for edge ports IC 4-229 spanning-tree portfast Sets an interface to fast forwarding IC
4 Spanning Tree Commands an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default.
4 Command Line Interface • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. - Be careful when switching between spanning tree modes.
4 Spanning Tree Commands spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) -1].
4 Command Line Interface ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Spanning Tree Commands 4 no spanning-tree pathcost method • long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. • short - Specifies 16-bit based values that range from 1-65535. This method is based on the IEEE 802.1 Spanning Tree Protocol. Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices.
4 Command Line Interface • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address. Command Mode Global Configuration Example Console(config)#spanning-tree mst configuration Console(config-mstp)# Related Commands mst vlan (4-224) mst priority (4-225) name (4-225) revision (4-226) max-hops (4-226) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Spanning Tree Commands 4 Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • priority - Priority of the a spanning tree instance.
4 Command Line Interface MST Configuration Command Usage The MST region name and revision number (page 4-226) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
4 Spanning Tree Commands hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed.
4 Command Line Interface cost - The path cost for the port. (Range: 0 for auto-configuration, or 1-200,000,000) The recommended range is: • • • • Ethernet: 200,000-20,000,000 Fast Ethernet: 20,000-2,000,000 Gigabit Ethernet: 2,000-200,000 10 Gigabit Ethernet: 200-20,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode.
Spanning Tree Commands 4 Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. • Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
4 Command Line Interface Related Commands spanning-tree portfast (4-230) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port.
Spanning Tree Commands 4 spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
4 Command Line Interface 9.3.4 (Note 1). • Port Loopback Detection will not be active if Spanning Tree is disabled on the switch. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection spanning-tree loopback-detection release-mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore the default.
4 Spanning Tree Commands spanning-tree loopback-detection trap This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default.
4 Command Line Interface • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. • Use the no spanning-tree mst cost command to specify auto-configuration mode. • Path cost takes precedence over interface priority.
4 Spanning Tree Commands spanning-tree mst cost (4-233) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Spanning Tree Commands 4 --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000 Designated bridge: 32768.0.
4 Command Line Interface VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
VLAN Commands 4 bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
4 Command Line Interface switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit.
4 VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
4 Command Line Interface Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting Shows all GARP timers.
4 VLAN Commands Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
4 Command Line Interface Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
VLAN Commands 4 Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-171) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
4 Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
4 VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
4 Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged. Setting a VLAN untagged will also change the native VLAN of the port to this VLAN.
VLAN Commands 4 Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
4 Command Line Interface Displaying VLAN Information Table 4-63 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-250 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-173 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-175 show vlan This command shows VLAN information.
VLAN Commands 4 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
4 Command Line Interface Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (4-253) show interfaces switchport (4-175) switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface.
VLAN Commands 4 switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
4 Command Line Interface Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel The dot1q-tunnel . . . .
4 VLAN Commands Table 4-65 Private VLAN Commands Command Function Mode Page private-vlan association Associates a community VLAN with a primary VLAN VC 4-256 Configure Private VLAN Interfaces switchport mode private-vlan Sets an interface to host mode or promiscuous mode IC 4-257 switchport private-vlan host-association Associates an interface with a secondary VLAN IC 4-258 switchport private-vlan isolated Associates an interface with an isolated VLAN IC 4-258 switchport private-vlan
4 Command Line Interface private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4092, no leading zeroes). • community - A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN.
VLAN Commands 4 no private-vlan primary-vlan-id association • primary-vlan-id - ID of primary VLAN. (Range: 1-4092, no leading zeroes). • secondary-vlan-id - ID of secondary (i.e, community) VLAN. (Range: 1-4092, no leading zeroes). Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members. The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN (e.g.
4 Command Line Interface • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command. Example Console(config)#interface ethernet Console(config-if)#switchport mode Console(config-if)#exit Console(config)#interface ethernet Console(config-if)#switchport mode Console(config-if)# 1/2 private-vlan promiscuous 1/3 private-vlan host switchport private-vlan host-association Use this command to associate an interface with a secondary VLAN.
4 VLAN Commands Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Host ports assigned to a isolated VLAN cannot pass traffic between group members, and must communicate with resources outside of the group via a promiscuous port. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan isolated 3 Console(config-if)# switchport private-vlan mapping Use this command to map an interface to a primary VLAN.
4 Command Line Interface Syntax show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces. • isolated – Displays an isolated VLAN, along with the assigned promiscuous interface and host interfaces. The Primary and Secondary fields both display the isolated VLAN ID. • primary – Displays all primary VLANs, along with any assigned promiscuous interfaces.
4 VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
4 Command Line Interface • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame1 - Frame type used by this protocol. (Options: ethernet, rfc_1042, llc_other) • protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: ip, arp, and rarp. Default Setting No protocol groups are configured.
VLAN Commands 4 applied to tagged frames. - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for the interface. Example The following example maps traffic matching the protocol type specified in protocol group 2 to VLAN 2.
4 Command Line Interface This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID VLAN ID ------------------ ----------2 VLAN2 Console# Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port.
4 Priority Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode • strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
4 Command Line Interface Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.
4 Priority Commands Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 0 - 2: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands show queue bandwidth (4-268) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3).
4 Command Line Interface Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces.
Priority Commands 4 Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table.
Priority Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command sets the IP DSCP priority for all interfaces.
4 Command Line Interface Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
Quality of Service Commands 4 To create a service policy for a specific category of ingress traffic, follow these steps: 1. 2. 3. 4. 5. 6. 7. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specify type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. Set an ACL mask to enable filtering for the criteria specified in the match command.
4 Command Line Interface • The class map is used with a policy map (page 4-275) to create a service policy (page 4-278) for a specific interface that defines packet classification, service tagging, and bandwidth policing.
4 Quality of Service Commands This example creates a class map call “rd_class#2,” and sets it to match packets marked for IP Precedence service value 5: Console(config)#class-map rd_class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# policy-map This command creates a policy
4 Command Line Interface class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting None Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode.
Quality of Service Commands 4 set This command services IP traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified by the match command on page 4-274). Use the no form to remove the traffic classification. Syntax [no] set {cos new-cos | ip dscp new-dscp | ip precedence new-precedence | ipv6 dscp new-dscp} • new-cos - New Class of Service (CoS) value. (Range: 0-7) • new-dscp - New Differentiated Service Code Point (DSCP) value.
4 Command Line Interface Policy Map Class Configuration Command Usage • You can configure up to 64 policers (i.e., meters or class maps) for each of the following access list types: MAC ACL, IP ACL (including Standard ACL and Extended ACL), IPv6 Standard ACL, and IPv6 Extended ACL. This limitation applies to each switch chip (ES3528M-SFP: ports 1-28). • Policing is based on a token bucket, where bucket depth (i.e.
Quality of Service Commands 4 Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
4 Command Line Interface Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Voice VLAN Commands Table 4-73 Command 4 Voice VLAN Commands Function Mode Page switchport voice vlan security Enables Voice VLAN security on ports IC 4-284 switchport voice vlan priority Sets the VoIP traffic priority for ports IC 4-285 show voice vlan Displays Voice VLAN settings PE 4-286 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
4 Command Line Interface voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
Voice VLAN Commands 4 Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
4 Command Line Interface switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} • oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. • lldp - Uses LLDP to discover VoIP devices attached to the port.
4 Voice VLAN Commands Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped. • When enabled, be sure the MAC address ranges for VoIP devices are configured in the Telephony OUI list.
4 Command Line Interface show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings.
Multicast Filtering Commands 4 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
4 Command Line Interface ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
Multicast Filtering Commands 4 ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
4 Command Line Interface Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier.
4 Multicast Filtering Commands show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-213 for a description of the displayed items.
4 Command Line Interface Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
4 Multicast Filtering Commands Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
4 Command Line Interface Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Multicast Filtering Commands 4 ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
4 Command Line Interface ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface • vlan-id - VLAN ID (Range: 1-4092) • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting No static multicast router ports are configured.
Multicast Filtering Commands 4 Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static 2 Eth 1/12 Static Console# IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users.
4 Command Line Interface ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Multicast Filtering Commands 4 Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number.
4 Command Line Interface Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Multicast Filtering Commands 4 number - The maximum number of multicast groups an interface can join at the same time. (Range: 0-64) Default Setting 64 Command Mode Interface Configuration Command Usage • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
4 Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Multicast Filtering Commands Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
Multicast VLAN Registration Commands 4 Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
4 Command Line Interface Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN. IGMP snooping can be used to allow a receiver port to dynamically join or leave multicast groups within the MVR VLAN.
4 Multicast VLAN Registration Commands show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword. Syntax show mvr [interface [interface] | members [ip-address]] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status ------- -------------------eth1/1 SOURCE ACTIVE/UP eth1/2 RECEIVER ACTIVE/UP eth1/5 RECEIVER INACTIVE/DOWN eth1/6 RECEIVER INACTIVE/DOWN eth1/7 RECEIVER INACTIVE/DOWN Console# Table 4-81 Field Immediate Leave --------------Disable Disable Disable Disable Disable show mvr interface - display description Description Port Shows interfaces attached to the
IP Interface Commands 4 IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
4 Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch.
IP Interface Commands 4 ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
4 Command Line Interface show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-310) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • host - IP address or IP alias of the host. • size - Number of bytes in a packet.
IP Source Guard Commands 4 Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.
4 Command Line Interface • sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table. Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
4 IP Source Guard Commands yet configured, the switch will drop all IP traffic on that port, except for DHCP packets. Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-315) ip dhcp snooping (4-317) ip dhcp snooping vlan (4-319) ip source-guard binding This command adds a static address to the source-guard binding table.
4 Command Line Interface - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding. - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
4 DHCP Snooping Commands Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
4 Command Line Interface • • • • • • 4-318 messages received on an unsecure interface from outside the network or firewall. When DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the ip dhcp snooping vlan command (page 4-319), DHCP messages received on an untrusted interface (as specified by the no ip dhcp snooping trust command, page 4-320) from a device not listed in the DHCP snooping table will be dropped.
DHCP Snooping Commands 4 switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch.
4 Command Line Interface Related Commands ip dhcp snooping (4-317) ip dhcp snooping trust (4-320) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
DHCP Snooping Commands 4 ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
4 Command Line Interface • When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. • DHCP snooping must be enabled on the switch for the DHCP Option 82 information to be inserted into packets. Example This example enables the DHCP Snooping Information Option.
4 DHCP Snooping Commands ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
4 Command Line Interface show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.
4 IP Cluster Commands Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. • Switch clusters are limited to a single IP subnet (Layer 2 domain).
4 Command Line Interface cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage • An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
IP Cluster Commands 4 Command Usage • The maximum number of cluster Members is 36. • The maximum number of switch Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id - The ID number of the Member switch.
4 Command Line Interface show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Console# show cluster candidates This command shows the discovered Candidate switches in the network.
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 1000 rules per system DHCP Client Port Configuration 100BASE-FX: 100 Mbps full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.
A Software Specifications Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard IP Clustering Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software
Management Information Bases A RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.
A A-4 Software Specifications
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index Numerics 802.1Q tunnel 3-167, 4-251 configuration, guidelines 3-170 configuration, limitations 3-170 description 3-167 ethernet type 3-171 interface configuration 3-172, 4-252–4-253 mode selection 3-172 status, configuring 3-170 TPID 4-253 uplink 3-172 802.1X, port authentication 3-81, 3-99 802.1X, port authentication accounting 3-62 A AAA accounting 802.
Index default settings, system 1-6 DHCP 3-18, 4-215, 4-216, 4-309 client 3-16 dynamic configuration 2-5 DHCP snooping global configuration 4-317, 4-324, 4-325 specifying trusted interfaces 4-320 verifying MAC addresses 4-321, 4-322 VLAN configuration 4-319 Differentiated Code Point Service See DSCP Differentiated Services See DiffServ DiffServ 3-200, 4-272 binding policy to interface 3-206, 4-278 class map 3-200, 4-273, 4-276 policy map 3-203, 4-275 service policy 3-206, 4-278 downloading software 3-20, 4-8
Index parameters 3-213 snooping, configuring 3-213, 4-287 importing user public keys 3-76 ingress filtering 3-165, 4-246 IP address BOOTP/DHCP 3-18, 4-215, 4-216, 4-309, 4-311 setting 2-4, 3-16, 4-215, 4-216, 4-309 IP precedence enabling 3-197 IP source guard configuring static entries 4-315 setting filter criteria 4-313 isolated ports 3-174, 4-254 isolated VLAN, configuring 3-174 J jumbo frame 4-83 K key private 3-71 public 3-71 user public, importing 3-76 key pair host 3-71 host, generating 3-75 L LACP
Index MSTP 4-219 configuring 3-149 global settings 4-217 global settings, configuring 3-141 global settings, displaying 3-138 interface settings 4-218 interface settings, configuring 3-147, 3-153 interface settings, displaying 3-151 multicast filtering 3-212, 3-225, 3-240, 4-287 multicast groups 3-218, 4-291 displaying 4-291 static 3-218, 4-288, 4-289, 4-291 multicast services configuring 3-219, 3-226, 3-227, 3-229, 4-288, 4-289 displaying 3-218, 4-291 multicast, filtering and throttling 4-298 multicast, st
Index R RADIUS, logon authentication 4-93 RADIUS, settings 3-54 rate limits, setting 3-128, 4-179 remote logging 4-57 restarting the system 3-33, 4-23, 4-24 RSA encryption 3-75, 3-76 RSTP 3-136, 4-219 global configuration 4-219 global settings, configuring 3-141 global settings, displaying 3-138 interface settings, configuring 3-147 interface settings, displaying 3-144 S secure shell 3-71, 4-45 configuration 3-71, 4-48 serial port configuring 4-11 show dot1q-tunnel 4-253 Simple Network Management Protocol
Index upgrading software 3-20 UPnP 3-245 configuration 3-245 user password 3-51, 3-59, 3-60, 3-62, 3-65, 4-37, 4-38 4-246–4-249 private 3-173, 4-254 protocol 3-179, 4-261 protocol, configuring 3-179 protocol, system configuration 3-180 voice VLAN 3-207, 4-280 VoIP Traffic 3-207, 4-280 ports, configuring 3-208 telephony OUI, configuring 3-211 voice VLAN, configuring 3-207 V W Type Length Value See also LLDP-MED TLV U VLANs 3-155–3-191, 4-238 802.
ES3528M-SFP E012008-DG-R01 149100035500A