Powered by Accton ES4524M-PoE 24-Port Layer 2/4 Gigabit Ethernet Switch with PoE Management Guide
Management Guide ES4524M-PoE Gigabit Ethernet Switch with PoE Layer 2/4 Switch with 22 10/100/1000BASE-T (RJ-45) Ports, and 2 Gigabit Combination Ports (RJ-45/SFP)
ES4524M-PoE F1.0.0.
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Managing System Files Saving
Contents Enabling Jumbo Frames Managing Firmware Downloading System Software from a Server Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging System Log Configuration Remote Log Configuration Displaying Log Messages Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Enabling the SNMP Agent Se
Contents Configuring a Standard IP ACL Configuring an Extended IP ACL Configuring a MAC ACL Binding a Port to an Access Control List DHCP Snooping DHCP Snooping Configuration DHCP Snooping VLAN Configuration DHCP Snooping Information Option Configuration DHCP Snooping Port Configuration Displaying DHCP Snooping Binding Information IP Source Guard IP Source Guard Port Configuration Static IP Source Guard Binding Configuration Dynamic IP Source Guard Binding Information Port Configuration Displaying Connectio
Contents Configuring Interface Settings for MSTP VLAN Configuration Overview Assigning Ports to VLANs Forwarding Tagged/Untagged Frames Enabling or Disabling GVRP (Global Setting) Displaying Basic VLAN Information Displaying Current VLANs Creating VLANs Adding Static Members to VLANs (VLAN Index) Adding Static Members to VLANs (Port Index) Configuring VLAN Behavior for Interfaces Configuring Private VLANs Displaying Current Private VLANs Configuring Private VLANs Associating Private VLANs Displaying Private
Contents Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Enabling IGMP Immediate Leave Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for a Multicast Router Displaying Port Members of Multicast Services Assigning Ports to Multicast Services Multicast VLAN Registration Configuring Global MVR Settings Displaying MVR Interface Status Displaying Port Members of Multicast Groups Configuring MVR Interfaces Assigning Static Mul
Contents configure show history reload prompt end exit quit System Management Commands Device Designation Commands hostname System Status Commands show startup-config show running-config show system show users show version Frame Size Commands jumbo frame File Management Commands copy delete dir whichboot boot system Line Commands line login password timeout login response exec-timeout password-thresh silent-time databits parity speed stopbits disconnect show line Event Logging Commands logging on logging hi
Contents show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar Switch Cluster Commands cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates UPnP Commands upnp device upnp device ttl upnp device advertise
Contents snmp-server user show snmp user Authentication Commands User Account Commands username enable password Authentication Sequence authentication login authentication enable RADIUS Client radius-server host radius-server port radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-server Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Com
Contents dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period show dot1x Management IP Filter Commands management show management Client Security Commands Port Security Commands port security IP Source Guard Commands ip source-guard ip source-guard binding show ip source-guard show ip source-guard binding DHCP Snooping Commands ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust ip dhcp snooping verify mac
Contents Interface Commands interface description speed-duplex negotiation capabilities flowcontrol media-type shutdown switchport packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit Power over Ethernet Commands power
Contents spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit spanning-tree mst-configuration mst vlan mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration
Contents private vlan association switchport mode private-vlan switchport private-vlan host-association switchport private-vlan mapping show vlan private-vlan Configuring Protocol-based VLANs protocol-vlan protocol-group protocol-vlan protocol-group vlan show protocol-vlan protocol-group show protocol-vlan protocol-group-vid LLDP Commands lldp lldp holdtime-multiplier lldp medFastStartCount lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp notification l
Contents Class of Service Commands Priority Commands (Layer 2) queue mode switchport priority default queue bandwidth queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) show map ip dscp Quality of Service Commands class-map match policy-map class set police service-policy show class-map show policy-map show policy-map interface Multicast Filtering Commands IGMP Snooping Commands ip i
Contents show mvr show mvr interface show mvr members IP Interface Commands Basic IP Configuration ip address ip default-gateway ip dhcp restart show ip interface show ip redirects ping Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary Index xiv 4-265 4-266 4-267 4-268 4-268 4-268 4-269 4-270 4-271 4-271 4-272 A-1 A-1 A-2 A-2 A-3 B-1 B-1 B-2
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-1 Table 3-1 Table 3-2 Table 3-3 Table 3-4 Table 3-5 Table 3-6 Table 3-7 Table 3-1 Table 3-2 Table 3-3 Table 3-1 Table 3-2 Table 3-3 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Table 4-21 Table 4-22 Key Features System Defaults Configuration Options Main Menu Logging Levels SNMPv
Tables Table 4-23 Table 4-24 Table 4-25 Table 4-26 Table 4-27 Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-1 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-2 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-9 Table 4-8 Table 4-10 Table 4-11 Table 4-13 Table 4-12 Table 4-14 Table 4-15 Table 4-3 Table 4-4 Table 4-5 Table 4-1 Table 4-6 Table 4-1 Table 4-2 xvi show snmp view - display des
Tables Table 4-3 Table 4-4 Table 4-7 Table 4-1 Table 4-2 Table 4-3 Table 3-4 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 4-8 Table 4-1 Table 4-2 Table 4-3 Table B-1 Displaying VLAN Information Private VLAN Commands Protocol-based VLAN Commands LLDP Commands Priority Commands Priority Commands (Layer 2) Default CoS Priority Levels Priority Commands (Layer 3 and 4) Mapping IP DSCP to CoS Values Quality of Service Commands Multicast Filtering Commands IGMP Snooping
Tables xviii
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-1 Figure 3-2 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-1 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Home Page Panel Display
Figures Figure 3-39 Figure 3-40 Figure 3-41 Figure 3-42 Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-1 Figu
Figures Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3-84 Figure 3-85 Figure 3-86 Figure 3-87 Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-5 Figure 3-91 Figure 3-1 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 F
Figures xxii
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
1 Introduction Table 1-1 Key Features (Continued) Feature Description Multicast Filtering Supports IGMP snooping and query LLDP Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
1 Description of Software Features enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard. Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
1 Introduction the chosen path should fail for any reason, an alternate path will be activated to maintain the connection. Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard.
System Defaults 1 or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. Multicast Filtering – Multicast filtering is a system where network devices forward multicast traffic only to the ports that are registered with the multicast group.
1 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Port Number 443 Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) SNMP Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled R
System Defaults 1 Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority Disabled IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.
1 1-8 Introduction
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is unassigned by default. To change this address, see “Setting an IP Address” on page 22-4.
2 • • • • • Initial Configuration Configure Class of Service (CoS) priority queuing Configure up to 8 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
2 Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 22-4.
2 Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level.
2 Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
2 Initial Configuration 4. Type “ip dhcp restart” to begin broadcasting service requests. Press . 5. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
2 Basic Configuration The default strings are: • public - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. private - Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects. • To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
2 Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
2 Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
2 Initial Configuration Configuring Power over Ethernet The switch’s 24 10/100/1000 Mbps ports support the IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the wire pairs in the connecting Ethernet cable. Any 802.3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the “Apply” button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing “Apply.” Apply Sets specified values to the system. Help Links directly to web help.
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Main Menu Table 3-2 Main Menu (Continued) Menu SNMPv3 Engine ID Description Page Simple Network Management Protocol (Version 3) 3-43 Sets SNMPv3 Engine ID 3-43 Remote Engine ID Adds a Remote Engine ID and IP Host 3-44 Users Creates or deletes user accounts 3-45 Remote Users Creates or deletes remote user accounts 3-47 Groups Creates or deletes SNMPv3 Groups 3-49 Views Creates or deletes SNMPv3 Views 3-52 Security 3-54 User Accounts Assigns a new password for the current user Authen
Configuring the Switch Table 3-2 Main Menu (Continued) Menu LACP Configuration Description Page Link Aggregation Control Protocol 3-107 Allows ports to dynamically join trunks 3-107 Aggregation Port Configures system priority, admin key, and port priority 3-110 Port Counters Information Displays statistics for LACP protocol messages 3-113 Port Internal Information Displays settings and operational state for local side 3-114 Port Neighbors Information Displays settings and operational state f
Main Menu Table 3-2 Main Menu (Continued) Menu MSTP Description Page Multiple Spanning Tree Protocol 3-151 Configures priority and VLANs for a spanning tree instance 3-151 Port Information Displays port settings for a specified MST instance 3-154 Trunk Information Displays trunk settings for a specified MST instance 3-154 VLAN Configuration Port Configuration Configures port settings for a specified MST instance 3-155 Trunk Configuration Configures trunk settings for a specified MST instan
Configuring the Switch Table 3-2 Main Menu (Continued) Menu LLDP Description Page Link Layer Discovery Protocol 3-176 Configuration Configures basic LLDP time parameters 3-176 Port Configuration Configures a port for receive and, or transmit status, allows sending of SNMP notification messages, and configures TLV information. 3-178 Trunk Configuration Configures a trunk for receive and, or transmit status, allows sending of SNMP notification messages, and configures TLV information.
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast router 3-208 IP Multicast Registration Table Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID 3-209 IGMP Member Port Table Indicates multicast addresses associated with the selected VLAN 3-210 Multicast VLAN Registration 3-211 Configuration Globally enables MVR, sets the MVR VLAN,
Configuring the Switch Table 3-2 Main Menu (Continued) Menu UPNP Configuration 3-10 Description Page Universal Plug and Play 3-224 Configures basic UPnP parameters 3-225
Basic Configuration Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem.
Configuring the Switch Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI – Specify the hostname, location and contact information.
Basic Configuration Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • • • • Serial Number – The serial number of the switch. Number of Ports – Number of built-in RJ-45 ports and expansion ports. Hardware Version – Hardware version of the main board.
Configuring the Switch CLI – Use the following command to display version information. Console#show version Unit 1 Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: 4-21 A622016012 R01 11.09 24 Up Not present Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.2.4 1.0.2.6 1.0.0.
Basic Configuration Web – Click System, Bridge Extension Configuration. Figure 3-5 Displaying Bridge Extension Configuration CLI – Enter the following command.
Configuring the Switch Command Attributes • Management VLAN – ID of the configured VLAN (1-4094). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. • IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP).
Basic Configuration CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)# 4-135 4-268 4-269 Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration.
Configuring the Switch Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface.
Basic Configuration Enabling Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields. You can enable jumbo frames to support data packets up to 9000 bytes in size.
Configuring the Switch Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version. You must specify the method of file transfer, along with the file type and file names as required. Note: Runtime code can also be upgraded by using Batch Upgrade.
Basic Configuration Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web – Click System, File Management, Copy Operation.
Configuring the Switch To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI – Enter the IP address of the TFTP server, select “config” or “opcode” file type, then enter the source and destination file names, set the new file to start up the system, and then restart the switch. .
Basic Configuration Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The firmware copy operation includes these options. - file to file – Copies a file within the switch directory, assigning it a new name. - file to running-config – Copies a file in the switch to the running configuration.
Configuring the Switch Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File Management, Copy Operation.
Basic Configuration CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
Configuring the Switch • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 bps) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password1 – Specifies a password for the line connection.
Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Configuring the Switch • Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) • Login – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts.
Basic Configuration Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Configuring the Switch Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-14 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
Basic Configuration Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-15 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
Configuring the Switch Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 3-16 Displaying Logs CLI – This example shows the event message stored in RAM. Console#show log ram [1] 00:01:37 2001-01-01 "DHCP request failed - will retry later.
Basic Configuration • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list.
Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email big-wheels@matel.com Console(config)#logging sendmail destination-email chris@matel.
Basic Configuration Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. (See “calendar set” on page 4-52.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Configuring the Switch CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 60 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.
Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Configuring the Switch Table 3-1 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defaultview none none Community string only v2c noAuthNoPriv private
Simple Network Management Protocol Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes • SNMP Community Capability – The switch supports up to five community strings. • Current – Displays a list of the community strings currently configured.
Configuring the Switch Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as EdgeView). You can specify up to five management stations that will receive authentication failure messages and other notification messages from the switch.
Simple Network Management Protocol Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. • Trap Version – Indicates if the user is running SNMP v1, v2c, or v3. (Default: v1) • Trap Security Level – When trap version 3 is selected, you must specify one of the following security levels.
Configuring the Switch Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
Simple Network Management Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent.
Simple Network Management Protocol Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned.
Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Configuring the Switch Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. Figure 3-27 Configuring Remote SNMPv3 Users CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.
Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes • Group Name – The name of the SNMP group. (Range: 1-32 characters) • Model – The group security model; SNMP v1, v2c or v3.
Configuring the Switch Table 3-1 Supported Notification Messages (Continued) Object Label Object ID Description linkDown* 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus. linkUp* 1.3.6.1.6.3.1.1.5.
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view.
Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 4-69 4-70 View Name: readaccess Subtree OID: 1.3.6.1.
Configuring the Switch User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access4 using the following options: • User Accounts – Manually configure management access rights for users.
User Authentication Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-1 User Accounts CLI – Assign a user name to access-level 15 (i.e.
Configuring the Switch contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
User Authentication - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) • TACACS Settings - Server IP Address – Address of the TACACS+ server. (Default: 10.11.12.
Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
User Authentication • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. • A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.
Configuring the Switch Copy HTTPS Certificate • TFTP Server IP Address – Specifies the TFTP Server where the authorized certificate will be saved. • Source Certificate File Name – File name for the certificate. • Source Private File Name – Private key file name. • Private Password – Password for the private key. Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply.
User Authentication Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
Configuring the Switch be configured locally on the switch via the User Accounts page as described on page 3-54) The clients are subsequently authenticated using these keys.
User Authentication Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c. The client sends a signature generated using the private key to the switch. d.
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-32 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
User Authentication Configuring Public Keys for Clients A user public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the user public key to SSH clients and import the client’s public key to the switch. Field Attributes • Public-Key of admin/user – The public key for the adminstrator or user. - RSA: The first field indicates the size of the public key (e.g.
Configuring the Switch Web – Click Security, SSH, User Public-Key Settings. Select the user type and public-key type from the drop-down box, enter the TFTP server IP address, input the source file name, and then click Copy Public Key.
User Authentication CLI – This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication through SSH is only supported for users configured locally on the switch. Console#copy tftp public-key 4-24 TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success.
Configuring the Switch Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Figure 3-34 SSH Server Settings CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection.
User Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
Configuring the Switch authentication type. (Some clients have native support in Windows, otherwise the dot1x client must support it.) Displaying 802.1X Global Settings The 802.1X protocol provides client authentication. Command Attributes 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-35 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.
User Authentication Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable dot1x globally for the switch and click Apply. Figure 3-36 802.1X Global Configuration CLI – This enables 802.
Configuring the Switch • Re-authen – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Req – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
User Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-104.
Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-3 802.1X Statistics Parameter Description Rx EXPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
User Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-38 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4.
Configuring the Switch Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
User Authentication Web – Click Security, IP Filter. Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 3-39 Filtering Management Access CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.19 4-107 Console(config)#management telnet-client 192.168.1.25 192.168.1.
Configuring the Switch Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
Client Security the maximum number of MAC addresses the selected port will stop learning. The MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage • A secure port has the following restrictions: - It cannot be used as a member of a static or dynamic trunk. - It should not be connected to a network interconnection device.
Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-40 Configuring Port Security CLI – This example sets the command mode to Port 5, sets the port security action to send a trap and disable the port, and then enables port security for the switch.
Client Security Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Configuring the Switch Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based on the source IP address. - Extended: IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number.
Client Security indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
Configuring the Switch • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-7) - TOS – Type of Service level. (Range: 0-15) - DSCP – DSCP priority level. (Range: 0-64) • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Source/Destination Port – Source/destination port number for the specified protocol type.
Client Security Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. Figure 3-43 Configuring Extended IP ACLs CLI – This example adds three rules: 1.
Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain permit rules, deny rules, or a combination of both. (Default: Permit rules) • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address.
Client Security Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
Configuring the Switch • MAC – Specifies the MAC ACL to bind to a port. • IN – ACL for ingress packets. • ACL Name – Name of the ACL. Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress traffic, select the required ACL from the drop-down list, then click Apply. Figure 3-45 Mapping ACLs to Port Ingress Queues CLI – This examples assigns an IP access list to port 1, and a MAC access list to port 2.
Client Security • Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier. • The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped.
Configuring the Switch DHCP Snooping Configuration Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on the switch, or to configure MAC Address Verification. Command Attributes • DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) • DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Client Security Web – Click DHCP Snooping, VLAN Configuration. Enable DHCP Snooping on the required VLAN and click Apply. Figure 3-47 DHCP Snooping VLAN Configuration CLI – This example enables DHCP Snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# 4-117 DHCP Snooping Information Option Configuration DHCP provides a relay option for sending information about local DHCP clients to DHCP servers.
Configuring the Switch 2. If the DHCP packet’s broadcast flag is on, the reply packet is broadcast to all attached VLANs, excluding that through which the reply packet was received. If the DHCP packet’s broadcast flag is off, the switch uses the Option 82 information to identify the interface connected to the requesting client and unicasts the reply packet to the client.
Client Security CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace.
Configuring the Switch CLI – This example sets port 5 as a trusted interface.
Client Security IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-88). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
Configuring the Switch • SIP – Enables traffic filtering based on IP addresses stored in the binding table. • SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. Web – Click IP Source Guard, Port Configuration. Set the required filtering type for each port and click Apply.
Client Security are configured by the DHCP server itself, of which static entries include a manually configured lease time. • Static bindings are processed as follows: - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type “static IP source guard binding.” - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
Configuring the Switch CLI – This example configures a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config)# 4-114 Dynamic IP Source Guard Binding Information Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding.
Port Configuration Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • • Name – Interface label. Type – Indicates the port type. (1000BASE-T or 1000BASE-SFP) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
Configuring the Switch Web – Click Port, Port Information or Trunk Information. Figure 3-54 Port Status Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (1000T or 1000Base SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-15.) Configuration: • • • • Name – Interface label. Port Admin – Shows if the interface is enabled or disabled (i.e., up or down).
Port Configuration • Broadcast Storm Limit – Shows the broadcast storm threshold. (64 - 1,000,000 kilobits per second) • Multicast Storm – Shows if multicast storm control is enabled or disabled. • Multicast Storm Limit – Shows the multicast storm threshold. (64 - 1,000,000 kilobits per second) • Unknown Unicast Storm – Shows if unknown unicast storm control is enabled or disabled. • Unknown Unicast Storm Limit – Shows the unknown unicast storm threshold.
Configuring the Switch CLI – This example shows the connection status for Port 5.
Port Configuration • Flow Control – Allows automatic or manual selection of flow control (that is, with auto-negotiation disabled). Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation.
Configuring the Switch Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 3-55 Configuring Port Attributes CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
Port Configuration Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 8 trunks at a time. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
Configuring the Switch Statically Configuring a Trunk Command Usage statically configured } • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration CLI – This example creates trunk 1 with ports 3 and 4. Just connect these ports to two static trunk ports on another switch to form a trunk.
Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. • Port – Port identifier. (Range: 1-24) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Port Configuration CLI – The following example enables LACP for ports 1 to 4. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-135 Console(config-if)#lacp 4-149 Console(config-if)#exit . . .
Configuring the Switch Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. • However, if the “port channel” Admin Key is set (page 4-142), then the port Admin Key must be set to the same value for a port to be allowed to join a channel group.
Port Configuration Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Configuring the Switch CLI – The following example configures LACP parameters for ports 1-8. Ports 1-4 are used as active members of the LAG; ports 5-8 are set to backup mode. Console(config)#interface ethernet 1/1 4-135 Console(config-if)#lacp actor system-priority 3 4-150 Console(config-if)#lacp actor admin-key 120 4-151 Console(config-if)#lacp actor port-priority 128 4-153 Console(config-if)#exit . . .
Port Configuration Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-4 LACP Port Counters Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-5 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Interval Number of seconds before invalidating received LACPDU information.
Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-60 Displaying Local LACP Port Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-6 LACP Remote Side Settings Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
Configuring the Switch Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for each port.
Port Configuration Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Set the threshold for each port, click Apply. Figure 3-62 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 packets per second for port 2.
Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
Port Configuration Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
Configuring the Switch CLI - This example sets the rate limit for input traffic passing through port 2. Console(config)#interface ethernet 1/3 Console(config-if)#rate-limit input 64000 Console(config-if)# 4-135 4-159 Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Port Configuration Table 3-7 Port Statistics (Continued) Parameter Description Transmit Unicast Packets The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent. Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent.
Configuring the Switch Table 3-7 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error. Received Bytes Total number of bytes of data received on the network.
Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
Configuring the Switch CLI – This example shows statistics for port 13.
Power over Ethernet Settings Power over Ethernet Settings This switch can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device. Detection and authentication prevent damage to non-802.3af compliant devices.
Configuring the Switch Web – Click PoE, Power Status. Figure 3-66 Displaying the Global PoE Status CLI – This example displays the current power status for the switch.
Power over Ethernet Settings Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power. Command Attributes Power Allocation – The power budget for the switch.
Configuring the Switch Web – Click PoE, Power Port Status. Figure 3-68 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1.
Power over Ethernet Settings Command Attributes • Port – The port number on the switch. • Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget. (Default: Enabled) • Priority – Sets the power priority for the port. (Options: low, high, or critical; Default: low) • Power Allocation – Sets the power budget for the port.
Configuring the Switch Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 4-166 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-71 Displaying the MAC Dynamic Address Table CLI – This example also displays the address table entries for port 1.
Address Table Settings Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-72 Setting the Aging Time CLI – This example sets the aging time to 400 seconds.
Configuring the Switch Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Spanning Tree Algorithm Configuration isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing. One or more VLANs can be grouped into a Multiple Spanning Tree Instance (MSTI). MSTP builds a separate Multiple Spanning Tree (MST) for each instance to maintain connectivity among each of the assigned VLAN groups.
Configuring the Switch Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
Spanning Tree Algorithm Configuration • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. • Root Hello Time – Interval (in seconds) at which this device transmits a configuration message.
Configuring the Switch CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 0 VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.
Spanning Tree Algorithm Configuration Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol11 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Configuring the Switch address will then become the root device. (Note that lower numeric values indicate higher priority.) - Default: 32768 - Range: 0-61440, in steps of 4096 - Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. - Default: 2 - Minimum: 1 - Maximum: The lower of 10 or [(Max.
Spanning Tree Algorithm Configuration Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 9) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST. • Region Revision12 – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name – The name for this MSTI.
Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
Configuring the Switch • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-148.
Spanning Tree Algorithm Configuration These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Internal path cost – The path cost for the MST.
Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 Information -------------------------------------------------------------Admin Status: Enabled Role: Disabled State: Discarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 2000000 Internal Oper Path Cost: 2000000 Priority: 128 Designated Cost: 0 Designated Port: 128.5 Designated Root: 32768.0.0016B6F03BEC Designated Bridge: 32768.0.
Spanning Tree Algorithm Configuration The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Configuring the Switch Table 3-3 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001 Ethernet Half Duplex Full Duplex Trunk 2,000,000 1,000,000 500,000 Fast Ethernet Half Duplex Full Duplex Trunk 200,000 100,000 50,000 -> 5000? as tested Gigabit Ethernet Full Duplex Trunk 10,000 5,000 • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges.
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-76 STA Port Configuration CLI – This example sets STA attributes for port 7.
Configuring the Switch To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance.
Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 1 VLANs Configuration: 1 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.
Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,” page 3-145. Web – Click Spanning Tree, MSTP, Port Information or Trunk Information.
Spanning Tree Algorithm Configuration --------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin Status: Enabled Role: Designate State: Forwarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 100000 Internal Oper Path Cost: 100000 Priority: 128 Designated Cost: 0 Designated Port: 128.1 Designated Root: 32768.0.0016B6F03BEC Designated Bridge: 32768.0.
Configuring the Switch Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. - Default: 128 - Range: 0-240, in steps of 16 • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
VLAN Configuration VLAN Configuration Overview In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks. This also provides a more secure and cleaner network environment. An IEEE 802.
Configuring the Switch Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways.
VLAN Configuration these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
Configuring the Switch Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.
VLAN Configuration CLI – Enter the following command. Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: Extended multicast filtering services: Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Global GVRP status: GMRP: Console# 4-191 256 4094 No Yes IVL Yes No Enabled Disabled Disabled Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging.
Configuring the Switch Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members.
VLAN Configuration • Add – Adds a new VLAN group to the current list. • Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-79 Creating Virtual LANs CLI – This example creates a new VLAN.
Configuring the Switch Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1.
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-80 VLAN Static Table - Adding Static Members CLI – The following example adds tagged and untagged ports to VLAN 2.
Configuring the Switch Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk). Click Query to display membership information for the interface. Select a VLAN ID, and then click Add to add the interface as a tagged member, or click Remove to remove the interface. After configuring VLAN membership for each interface, click Apply.
VLAN Configuration all other VLANs, the PVID must be defined first, then the status of the VLAN can be configured as a tagged or untagged member. • Acceptable Frame Type – Sets the interface to accept all frame types, including tagged or untagged frames, or only tagged frames. When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-82 Configuring VLAN Ports CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
VLAN Configuration To configure primary/secondary associated groups, follow these steps: 1. Use the Private VLAN Configuration menu to designate one or more community VLANs, and the primary VLAN that will channel traffic outside of the VLAN groups. 2. Use the Private VLAN Association menu to map the secondary (i.e., community) VLAN(s) to the primary VLAN. 3. Use the Private VLAN Port Configuration menu to set the port type to promiscuous (i.e.
Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
VLAN Configuration CLI – This example configures VLAN 5 as a primary VLAN, and VLAN 6 as a community VLAN. Console(config)#vlan database Console(config-vlan)#private-vlan 5 primary Console(config-vlan)#private-vlan 6 community Console(config-vlan)# 4-194 4-204 Associating Private VLANs Each community VLAN must be associated with a primary VLAN. Command Attributes • Primary VLAN ID - ID of primary VLAN (2-4094). • Association - Community VLANs associated with the selected primary VLAN.
Configuring the Switch Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interface associated with private VLANs. Command Attributes • Port/Trunk - The switch interface. • PVLAN Port Type - Displays private VLAN port types. - Normal – The port is not configured in a private VLAN.
VLAN Configuration Configuring Private VLAN Interfaces Use the Private VLAN Port Configuration and Private VLAN Trunk Configuration menus to set the private VLAN interface type, and assign the interfaces to a private VLAN. Command Attributes • Port/Trunk - The switch interface. • PVLAN Port Type - Sets private VLAN port types. - Normal – The port is not assigned in a private VLAN. - Host – The port is a community port.
Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
VLAN Configuration Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-88 Protocol VLAN Configuration Configuring the Protocol VLAN System Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN. Command Attributes • Protocol Group ID - Protocol Group ID assigned to the Protocol VLAN Group. (Range: 1-2147483647) • VLAN ID - VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) Web – Click VLAN, Protocol VLAN, System Configuration.
Configuring the Switch Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Link Layer Discovery Protocol When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. • Notification Interval – Configures the allowed interval for sending SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds; Default: 5 seconds) This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management.
Configuring the Switch CLI – This example shows the setting of the transmit interval to 60 seconds, the transmit delay to 10 seconds, the hold time to 10 seconds, the reinitialization delay to 10 seconds, and the notification interval to 30 seconds.
Link Layer Discovery Protocol address should be the MAC address for the CPU or for the port sending this advertisement. The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address.
Configuring the Switch Web – Click LLDP, Port/Trunk Configuration. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, select the information to advertise in LLDP messages, select the information to advertise in MED-TLV messages and specify whether or not to send MED notifications. Then click Apply.
Link Layer Discovery Protocol Displaying LLDP Local Device Information Use the LLDP Local Device Information screen to display information about the switch, such as its MAC address, chassis ID, management IP address, and port information. Web – Click LLDP, Local Information. Figure 3-91 LLDP Local Device Information CLI – This example displays LLDP information for the local switch.
Configuring the Switch This example displays detailed information for a specific port on the local switch.
Link Layer Discovery Protocol Displaying LLDP Remote Information Details Use the LLDP Remote Information Details screen to display detailed information about an LLDP-enabled device connected to a specific port on the local switch. Web – Click LLDP, Remote Information Details. Select an interface from the drop down lists, and click Query. Figure 3-6 LLDP Remote Information Details CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Configuring the Switch Displaying Device Statistics Use the LLDP Device Statistics screen to display aggregate statistics about all LLDP-enabled device connected to this switch. Web – Click LLDP, Device Statistics. Figure 3-7 LLDP Device Statistics CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch.
Link Layer Discovery Protocol Displaying Detailed Device Statistics Use the LLDP Device Statistics Details screen to display statistics based on traffic received through all attached LLDP-enabled interfaces. Web – Click LLDP, Device Statistics Details. Figure 3-8 LLDP Device Statistics Details CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch.
Configuring the Switch Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Class of Service Configuration Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-92 Default Port Priority CLI – This example assigns a default priority of 5 to port 3.
Configuring the Switch Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
Class of Service Configuration Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-93 Configuring Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
Class of Service Configuration Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-188, the traffic classes are mapped to one of the four egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities).
Configuring the Switch Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports one method of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet. If priority bits are used, the ToS octet may contain six bits for Differentiated Services Code Point (DSCP) service.
Layer 3/4 Priority Settings Table 3-3 Mapping DSCP Priority IP DSCP Value CoS Value 0 0 8 1 10, 12, 14, 16 2 18, 20, 22, 24 3 26, 28, 30, 32, 34, 36 4 38, 40, 42 5 48 6 46, 56 7 Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS value to the selected DSCP Priority value. Note that “0” represents low priority and “7” represent high priority. Note: IP DSCP settings apply to all interfaces.
Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)#end Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled 4-240 4-135 4-241 4-242 Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
Quality of Service Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen. Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 3. Use the “Class Map” to designate a class name for a specific category of traffic. 4.
Configuring the Switch • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map.
Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-98 Configuring Class Maps CLI – This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on 3-195. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
Quality of Service • Back – Returns to previous page without making any changes. Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on 3-195). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (bytes) – Burst in bytes.
Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query — If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query (page 3-204) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports.
Configuring the Switch Static IGMP Host Interface — For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-210). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Multicast Filtering • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired. (Range: 300-500 seconds, Default: 300) • IGMP Version — Sets the protocol version for compatibility with other devices on the network. (Range: 1-3; Default: 2) Notes: 1. All systems on the subnet must support the same version. 2.
Configuring the Switch Enabling IGMP Immediate Leave The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the immediate-leave function is enabled for the parent VLAN. This allows the switch to remove a port from the multicast forwarding table without first having to send an IGMP group-specific query to that interface.
Multicast Filtering Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Configuring the Switch Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Multicast Filtering Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
Configuring the Switch Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 3-204. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
Multicast VLAN Registration CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 Console(config)#exit Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.1.12 Eth1/12 USER 1 224.1.2.
Configuring the Switch General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 3-212). 2. Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR Interfaces” on page 3-216). 3.
Multicast VLAN Registration Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-107 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.
Configuring the Switch Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
Multicast VLAN Registration Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Web – Click MVR, Group IP Information.
Configuring the Switch Configuring MVR Interfaces Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
Multicast VLAN Registration • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) • Trunk21 – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Configuration. Figure 3-110 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
Configuring the Switch Command Attributes • Interface – Indicates a port or trunk. • Member – Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interface. • Non-Member – Shows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface. Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups.
Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together for centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. Command Usage • A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster.
Configuring the Switch • Number of Candidates – The current number of Candidate switches discovered in the network that are available to become Members. Web – Click Cluster, Configuration. Figure 3-112 Cluster Configuration CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster Console(config)#cluster commander Console(config)#cluster ip-pool 10.2.3.
Switch Clustering Cluster Member Configuration Adds Candidate switches to the cluster as Members. Command Attributes • Member ID – Specify a Member ID number for the selected Candidate switch. (Range: 1-36) • MAC Address – Select a discovered switch MAC address from the Candidate Table, or enter a specific MAC address of a known switch. Web – Click Cluster, Member Configuration.
Configuring the Switch Cluster Member Information Displays current cluster Member switch information. Command Attributes • Member ID – The ID number of the Member switch. (Range: 1-36) • Role – Indicates the current status of the switch in the cluster. • IP Address – The internal cluster IP address assigned to the Member switch. • MAC Address – The MAC address of the Member switch. • Description – The system description string of the Member switch. Web – Click Cluster, Member Information.
Switch Clustering Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members. Command Attributes • Role – Indicates the current status of Candidate switches in the network. • MAC Address – The MAC address of the Candidate switch. • Description – The system description string of the Candidate switch. Web – Click Cluster, Candidate Information.
Configuring the Switch UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. The first step in UPnP networking is discovery. When a device is added to the network, the UPnP discovery protocol allows that device to broadcast its services to control points on the network.
UPnP UPnP Configuration The UPnP Configuration page allows you to enable or disable UPnP, and to set advertisement and time out values. Command Attributes • UPNP Status – Enables UPnP on the device. (Default: Disabled) • Advertising Duration – The duration for which a device will advertise its status to the control point. (Range: 60-86400 seconds; Default: 100 seconds) • TTL Value – Sets the time-to-live (TTL) value for UPnP messages transmitted by this device.
Configuring the Switch 3-226
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
4 Command Line Interface Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.
Entering Commands 4 Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
4 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands 4 Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
4 Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
4 Entering Commands Username: guest Password: [guest login password] CLI session with the ES4524M-PoE is opened. To end the CLI session, enter [Exit]. Console#enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
4 Command Line Interface Table 4-2 Configuration Commands (Continued) Mode Command Interface interface {ethernet port | port-channel id| vlan id} Prompt Page Console(config-if)# MSTP spanning-tree mst-configuration Console(config-mstp) 4-176 Policy Map policy map Console(config-pmap) 4-246 VLAN Console(config-vlan) 4-194 4-135 vlan database For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode.
Command Groups 4 Command Groups The system commands can be broken down into the functional groups shown below.
4 Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) NE (Normal Exec) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) General Commands These commands are used to control the command access mode, configuration mode, and other basic functions
4 General Commands Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-77.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
4 Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. (See “Understanding Command Modes” on page 4-6.
4 General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# reload This command restarts the system.
4 Command Line Interface Example Console(config)#prompt RD2 RD2(config)# end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, and VLAN Database Configuration, and Multiple Spanning Tree Configuration.
System Management Commands 4 Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information.
4 Command Line Interface hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# System Status Commands This section describes commands used to display system information.
System Management Commands 4 • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
4 Command Line Interface show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
System Management Commands 4 ! snmp-server community public ro snmp-server community private rw ! username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca ! VLAN database VLAN 1 name DefaultVlan media ethernet state active VLAN 4093 media ethernet state active ! spanning-tree MST configuration ! interface VLAN 1 IP address DHC
4 Command Line Interface Example Console#show system System Description: 24-port 10/100/1000 + 2-port mini-GBIC Gigabit PoE Switch System OID String: 1.3.6.1.4.1.259.8.1.7 System Information System Up Time: 0 days, 0 hours, 7 minutes, and 48.
System Management Commands 4 Example Console#show users Username Accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.19 Web online users: Line Remote IP addr Username Idle time (h:m:s).
4 Command Line Interface Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 4-9 Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC Page 4-22 jumbo frame This command enables support for jumbo frames. Use the no form to disable it.
System Management Commands 4 File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
4 Command Line Interface copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
4 System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” on page 3-58. For information on configuring the switch to use HTTPS/SSL for a secure connection, see “ip http server” on page 4-86.
4 Command Line Interface The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.
System Management Commands 4 Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands dir (4-27) delete public-key (4-94) dir This command displays a list of files in flash memory.
4 Command Line Interface Example The following example shows how to display all file information. Console#dir File name File type Startup Size (byte) -------------------------------------------------- ------- ---------Unit1: diag.bix Boot-Rom Image Y 1286876 es4524m-poe_fw1005.bix Operation Code Y 3489580 Factory_Default_Config.cfg Config File N 455 startup1.
System Management Commands 4 Command Mode Global Configuration Command Usage • A colon (:) is required after the specified file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-27) whichboot (4-28) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
4 Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
4 System Management Commands Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
4 Command Line Interface Command Usage • When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e.
4 System Management Commands Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds.
4 Command Line Interface Default Setting The default value is three attempts. Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. • This command applies to both the local console and Telnet connections.
System Management Commands 4 databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
4 Command Line Interface Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.
4 System Management Commands stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} • 1 - One stop bit • 2 - Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect Use this command to terminate an SSH, Telnet, or console connection.
4 Command Line Interface show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet).
4 System Management Commands Event Logging Commands This section describes commands used to configure event logging on the switch Table 4-13 Event Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 4-39 logging history Limits syslog messages saved to switch memory based on severity GC 4-40 logging host Adds a syslog server host IP address that will receive logging messages GC 4-41 logging facility Sets the facility type for remote logging of syslog
4 Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). • level - One of the levels listed below.
4 System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • Use this command more than once to build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five.
4 Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the level arguments listed below. Messages sent include the selected level up through level 0. (Refer to the table on page 4-40.
System Management Commands 4 Related Commands show log (4-44) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
4 Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
System Management Commands 4 Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
4 Command Line Interface • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.) Example Console(config)#logging sendmail host 192.168.1.
4 System Management Commands Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
4 Command Line Interface Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP source email address: bill@this-company.
System Management Commands 4 sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration Command Usage • The time acquired from time servers is used to record accurate dates and times for log events.
4 Command Line Interface sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP). (Range: 1 - 3 addresses) Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode.
4 System Management Commands Example Console(config)#sntp poll 60 Console# Related Commands sntp client (4-49) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
4 Command Line Interface Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
System Management Commands 4 show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar 15:12:34 February 1 2002 Console# Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit.
4 Command Line Interface Note: Cluster Member switches can be managed through only using a Telnet connection to the Commander. From the Commander CLI prompt, use the “rcommand” command (see page 4-56) to connect to the Member switch. cluster This command enables clustering on the switch. Use the no form to disable clustering.
4 System Management Commands Command Usage • Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. • Cluster Member switches can be managed only through a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch.
4 Command Line Interface cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address id no cluster member mac-address • mac-address - The MAC address of the Candidate switch. • member-id - The ID number to assign to the Member switch.
System Management Commands 4 Example Console#rcommand id 1 CLI session with the SMC8124PL2 is opened. To end the CLI session, enter [Exit]. Console# show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role: commander Interval heartbeat: 30 Heartbeat loss count: 3 Number of Members: 1 Number of Candidates: 2 Console# show cluster members This command shows the current switch cluster members.
4 Command Line Interface Example Console#show cluster candidates Cluster Candidates: Role Mac ------------- ----------------ACTIVE MEMBER 00-12-cf-23-49-c0 CANDIDATE 00-12-cf-0b-47-a0 Console# Description -------------------------------SMC8124PL2 SMC8124PL2 UPnP Commands Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks.
System Management Commands 4 upnp device ttl This command sets the time-to-live (TTL) value for sending of UPnP messages from the switch. Syntax upnp device ttl {value} value - The number of router hops a UPnP packet can travel before it is discarded. (Range:1-255) Default Setting 4 Command Mode Global Configuration Command Usage UPnP devices and control points must be within the local network, that is within the TTL value for multicast messages. Example In the following example sets the TTL to 6 hops.
4 Command Line Interface show upnp This command displays the UPnP operational status and time out settings. Command Mode Privileged Exec Example Console#show upnp UPnP global settings: Status: Advertise duration: TTL: Console# Enabled 200 20 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP Commands 4 Table 4-21 SNMP Commands (Continued) Command Function Mode snmp-server user Adds a user to an SNMPv3 group GC Page 4-73 show snmp user Shows the SNMPv3 users PE 4-74 snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server.
4 Command Line Interface Example Console#show snmp SNMP Agent: Enabled SNMP Traps: Authentication: Enabled Link-up-down: Enabled SNMP Communities: 1. public, and the privilege is read-only 2.
SNMP Commands 4 Default Setting • public - Read-only access. Authorized management stations are only able to retrieve MIB objects. • private - Read-write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
4 Command Line Interface snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
SNMP Commands 4 • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” on page 3-37 for further information about these authentication and encryption options. • port - Host UDP port to use.
4 Command Line Interface To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 4-61). 2. Allow the switch to send SNMP traps; i.e., notifications (page 4-66). 3. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. 4. Create a view with the required notification messages (page 4-69). 5. Create a group that includes the required notify view (page 4-71). 6.
SNMP Commands 4 Command Usage • If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled.
4 Command Line Interface Command Usage • An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. • A remote engine ID is required when using SNMPv3 informs. (See snmp-server host on page 4-64.
SNMP Commands 4 Table 4-22 show snmp engine-id - display description Field Description Local SNMP engineID String identifying the local engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine.
4 Command Line Interface This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
4 SNMP Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname • groupname - Name of an SNMP group. (Range: 1-32 characters) • v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
4 Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
4 SNMP Commands Table 4-24 show snmp group - display description (Continued) Field Description readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read and a Write View. Use the no form to remove a user from an SNMP group.
4 Command Line Interface • Before you configure a remote user, use the snmp-server engine-id command (page 4-67) to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/privacy digests from the user’s password.
4 Authentication Commands Table 4-25 show snmp user - display description (Continued) Field Description Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device.
4 Command Line Interface username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | no password | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive.
4 Authentication Commands enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] • level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
4 Command Line Interface Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
4 Authentication Commands Related Commands username - for setting the local user names and passwords (4-76) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-10). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only.
4 Command Line Interface RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Authentication Commands 4 Example Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages.
4 Command Line Interface radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Authentication Commands 4 Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Communication Key with RADIUS Server: ***** Auth-Port: 1812 Retransmit Times: 2 Request Timeout: 5 Server 1: Server IP Address: 192.168.1.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
4 Authentication Commands Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.
4 Command Line Interface Command Mode Global Configuration Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-86) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Authentication Commands 4 Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate.
4 Command Line Interface Default Setting 443 Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
Authentication Commands 4 Example Console(config)#ip telnet server Console(config)#ip telnet port 123 Console(config)# Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install an SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
4 Command Line Interface To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
4 Authentication Commands stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d.
4 Command Line Interface Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (4-94) show ssh (4-96) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Authentication Commands 4 ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
4 Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private).
Authentication Commands 4 Example Console#ip ssh crypto host-key generate dsa Console# Related Commands ip ssh crypto zeroize (4-95) ip ssh save host-key (4-95) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM).
4 Command Line Interface Command Mode Privileged Exec Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-94) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.
Authentication Commands 4 Table 4-36 show ssh - display description (Continued) Field Description Username The user name of the client. Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
4 Command Line Interface Example Console#show public-key host Host: RSA: 1024 65537 1568499540186766925933394677505461732531367489083654725415020245593 1998685443583616519999233297817660658309586108259132128902337654680172627 2571413428762941301196195566782595664104869574278881462065194174677298486 5468615717739390164779355942303577413098022737087794545240839717526463580 58176716709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4P
4 Authentication Commands dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
4 Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
Authentication Commands 4 Default Single-host Command Mode Interface Configuration Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-105). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
4 Command Line Interface dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
4 Authentication Commands dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
4 Command Line Interface show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-24) Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.
4 Authentication Commands - Max Count - Port-control - Supplicant - Current Identifier – The maximum number of hosts allowed to access this port (page 4-100). – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 4-100). – MAC address of authorized client. – The integer (0-255) used by the Authenticator to identify the current authentication session.
4 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/25 1/26 Status disabled disabled Operation Mode Single-Host Single-Host Mode ForceAuthorized ForceAuthorized Authorized n/a n/a disabled enabled Single-Host Single-Host ForceAuthorized Auto yes yes 802.1X Port Details 802.1X is enabled on port 1/1 . . . 802.
4 Authentication Commands Management IP Filter Commands This section describes commands used to configure IP management access to the switch.
4 Command Line Interface Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols.
4 Client Security Commands Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this section.
4 Command Line Interface port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
Client Security Commands 4 Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (4-141) mac-address-table static (4-166) show mac-address-table (4-167) IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source G
4 Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. • Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port.
Client Security Commands 4 Example This example maps enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Command ip source-guard binding (4-113) ip dhcp snooping (4-115) ip dhcp snooping vlan (4-117) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
4 Command Line Interface - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Example This example configures a static source-guard binding on port 5.
4 Client Security Commands Command Mode Privileged Exec Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- ------------- ---------- --------- ---- --------11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
4 Command Line Interface Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
Client Security Commands 4 • If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (ip dhcp snooping trust, page 4-118). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
4 Command Line Interface • When DHCP snooping is globally enabled, configuration changes for specific VLANs have the following effects: - If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. Example This example enables DHCP snooping for VLAN 1.
Client Security Commands 4 Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# Related Commands ip dhcp snooping (4-115) ip dhcp snooping vlan (4-117) ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
4 Command Line Interface ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
Client Security Commands 4 Related Commands ip dhcp snooping information policy (4-121) ip dhcp snooping (4-115) ip dhcp snooping information policy This command specifies how to handle client requests which already contain DHCP Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} • drop - Drop the request packet instead of relaying it. • keep - Retain the Option 82 information in the client request, and unicast the packet to the DHCP server.
4 Command Line Interface Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: 1 Verify Source Mac-Address: enable Interface Trusted ---------- ---------Eth 1/1 No Eth 1/2 No Eth 1/3 No Eth 1/4 No Eth 1/5 Yes . . . show ip dhcp snooping binding This command shows the DHCP snooping binding table entries.
Access Control List Commands 4 IP ACLs The commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
4 Command Line Interface Example Console(config)#access-list ip standard david Console(config-std-acl)# Related Commands permit, deny (4-124) ip access-group (4-127) show ip access-list (4-127) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address.
Access Control List Commands 4 permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
4 Command Line Interface “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. • You can specify both Precedence and ToS in the same rule. However, if DSCP is used, then neither Precedence nor ToS can be specified. • The control-code bitmask is a decimal number (representing an equivalent bit mask) that is applied to the control code.
Access Control List Commands 4 show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 0.0.15.
4 Command Line Interface Related Commands show ip access-list (4-127) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP standard access-list david Console# Related Commands ip access-group (4-127) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
Access Control List Commands 4 Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules.
4 Command Line Interface [no] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} • • • • • • • • • • • • • tagged-eth2 – Tagged Ethernet II packets. untagged-eth2 – Untagged Ethernet II packets. tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets. any – Any MAC source or destination address. host – A specific MAC address. source – Source MAC address.
4 Access Control List Commands show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny (4-129) mac access-group (4-131) mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port.
4 Command Line Interface show mac access-group This command shows the ports assigned to MAC ACLs.
Access Control List Commands 4 show access-group This command shows the port assignments of ACLs.
4 Command Line Interface 4-134
Interface Commands 4 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
4 Command Line Interface Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
4 Interface Commands Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed.
4 Command Line Interface Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed. • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
Interface Commands 4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed. • When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command.
4 Command Line Interface back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation. • To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command.
4 Interface Commands Example This forces the switch to use the built-in RJ-45 port for the combination port 18. Console(config)#interface ethernet 1/18 Console(config-if)#media-type copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
4 Command Line Interface Default Setting Broadcast Storm Control: Enabled, packet-rate limit: 64 kilobits per second Multicast Storm Control: Disabled Unknown Unicast Storm Control: Disabled Command Mode Interface Configuration (Ethernet) Command Usage When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
4 Interface Commands Example The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-24) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4093) Default Setting Shows the status for all interfaces.
4 Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast Storm: Enabled Broadcast Storm Limit: 64 Kbits/second Multicast Storm: Disabled Multicast Storm Limit: 64 Kbits/second UnknownUnicast Storm: Disabled UnknownUnicast Storm Limit: 64 Kbits/second Flow Control: Disabled LACP
4 Interface Commands Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 3-122.
4 Command Line Interface Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 24.
4 Link Aggregation Commands Table 4-3 show interfaces switchport - display description (Continued) Field Description GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-191). Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (page 4-200). Forbidden VLAN Shows the VLANs this interface can not dynamically join via GVRP (page 4-201).
4 Command Line Interface Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to 8 ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
4 Link Aggregation Commands Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Example The following example creates trunk 1 and then adds port 11. Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)# lacp This command enables 802.
4 Command Line Interface Example The following shows LACP enabled on ports 10-12. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established.
4 Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
4 Command Line Interface • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Link Aggregation Commands 4 lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
4 Command Line Interface show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-32) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. sys-id - Summary of system priority and MAC address for all channel groups.
Link Aggregation Commands 4 Console#show lacp internal Channel group : 1 ------------------------------------------------------------------Oper Key: 3 Admin Key: 0 Eth 1/ 2 ------------------------------------------------------------------LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: 3 Oper Key: 3 Admin State: defaulted, aggregation, long timeout, LACP-activity Oper State: distributing, collecting, synchronization, aggregation, long timeout, LACP-activity . . .
4 Command Line Interface Console#show lacp 1 neighbors Channel group 1 neighbors ------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: 2 Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: 0 Oper Key: 3 Admin State: defaulted, distributing, collecting, synch
Mirror Port Commands 4 Console#show lacp 1 sysid Channel group System Priority System MAC Address ------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 7 32768 00-30-F1-D4-73-A0 8 32768 00-30-F1-D4-73-A0 9 32768 00-30-F1-D4-73-A0 10 32768 00-30-F1-D4-73-A0 11 32768 00-30-F1-D4-73-A0 12 32768 00-30-F1-D4-73-A0 . . .
4 Command Line Interface Default Setting No mirror session is defined. When enabled, the default mirroring is for both received and transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Rate Limit Commands 4 Example The following shows mirroring configured from port 6 to port 11.
4 Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 600 Console(config-if)# Related Command show interfaces switchport (4-145) Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the switch ports. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
4 Power over Ethernet Commands Command Mode Global Configuration Command Usage • Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. • If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
4 Command Line Interface Example Console(config)#power inline compatible Console(config)#end Console#show power inline status Unit: 1 Compatible mode : Enabled Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------Eth 1/ 1 enable off 15400 0 low Eth 1/ 2 enable off 15400 0 low Eth 1/ 3 enable off 15400 0 low Eth 1/ 4 enable off 15400 0 low Eth 1/ 5 enable off 15400 0 low . . .
Power over Ethernet Commands 4 power inline maximum allocation This command limits the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts).
4 Command Line Interface Command Usage • If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to control the supplied power. For example: - A device connected to a low-priority port that causes the switch to exceed its budget is not supplied power.
Power over Ethernet Commands 4 Table 4-12 show power inline status parameters Parameter Description Admin The power mode set on the port (see power inline on page 4-162) Oper The current operating power status (displays on or off) Power (mWatt) The maximum power allocated to this port (see power inline maximum allocation on page 4-163) Power (used) The current power consumption on the port in milliwatts Priority The port’s power priority setting (see power inline priority on page 4-163) show p
4 Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
4 Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
4 Command Line Interface Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface.
Spanning Tree Commands 4 Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec.
4 Command Line Interface Table 4-15 Spanning Tree Commands (Continued) Command Function Mode Page max-hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 4-179 spanning-tree spanning-disabled Disables spanning tree for an interface IC 4-179 spanning-tree cost Configures the spanning tree path cost of an interface IC 4-180 spanning-tree port-priority Configures the spanning tree priority of an interface IC 4-181 spanning-tree edge-port Enable
4 Spanning Tree Commands Example This example shows how to enable the Spanning Tree Algorithm for the switch. Console(config)#spanning-tree Console(config)# spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) • mstp - Multiple Spanning Tree (IEEE 802.
4 Command Line Interface • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. - Be careful when switching between spanning tree modes.
4 Spanning Tree Commands spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) -1].
4 Command Line Interface Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Spanning Tree Commands 4 spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method • long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. • short - Specifies 16-bit based values that range from 1-65535.
4 Command Line Interface Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst-configuration This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address.
Spanning Tree Commands 4 • By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 58 instances. You should try to group VLANs which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 4-178) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs.
4 Command Line Interface name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number (page 4-178) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region.
Spanning Tree Commands 4 Example Console(config-mstp)#revision 1 Console(config-mstp)# Related Commands name (4-178) max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols.
4 Command Line Interface Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost cost - The path cost for the port.
Spanning Tree Commands 4 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. Table 4-5 Default STA Path Costs Port Type Link Type IEEE 802.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. • Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Spanning Tree Commands 4 Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# Related Commands spanning-tree portfast (4-183) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding.
4 Command Line Interface spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
4 Spanning Tree Commands spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • cost - Path cost for an interface.
4 Command Line Interface spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • priority - Priority for an interface.
4 Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
4 Command Line Interface • For a description of the items displayed under “Spanning-tree information,” see “Configuring Global Settings” on page 3-141. For a description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-145.
VLAN Commands 4 show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree.
4 Command Line Interface GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
VLAN Commands 4 show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-160 and “Displaying Bridge Extension Capabilities” on page 3-14 for a description of the displayed items.
4 Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting Shows both global and interface-specific configuration.
VLAN Commands 4 Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration. • Timer values are applied to GVRP for all the ports on all VLANs.
4 Command Line Interface Related Commands garp timer (4-192) Editing VLAN Groups Table 4-1 Editing VLAN Groups Command Function vlan database Enters VLAN database mode to add, change, and delete VLANs GC Mode 4-194 vlan Configures a VLAN, including VID, name and state 4-195 VC Page vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
4 VLAN Commands vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4093, no leading zeroes) • name - Keyword to be followed by the VLAN name. • vlan-name - ASCII string from 1 to 32 characters. • media ethernet - Ethernet media type. • state - Keyword to be followed by the VLAN state.
4 Command Line Interface Configuring VLAN Interfaces Table 4-2 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN IC 4-196 switchport mode Configures VLAN membership mode for an interface IC 4-197 switchport acceptable-frame-types Configures frame types to be accepted by an interface IC 4-197 switchport ingress-filtering Enables ingress filtering on an interface IC 4-198 switchport native vlan Configures the P
VLAN Commands 4 switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {hybrid | access | trunk} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • access - Specifies an access VLAN interface. The port transmits and receives untagged frames only. • trunk - Specifies a port as an end-point for a VLAN trunk.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
4 VLAN Commands Example The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
4 Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
VLAN Commands 4 switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. Do not enter leading zeros.
4 Command Line Interface Displaying VLAN Information Table 4-3 Displaying VLAN Information Command Function Mode Page show vlan Shows VLAN information NE, PE 4-202 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-143 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-145 show vlan This command shows VLAN information.
4 VLAN Commands Configuring Private VLANs Private VLANs provide port-based security between ports, using primary and secondary VLAN groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
4 Command Line Interface private-vlan Use this command to create a primary or community VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4093, no leading zeroes). • community – A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN.
VLAN Commands 4 private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {primary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association • primary-vlan-id - ID of primary VLAN. (Range: 1-4093, no leading zeroes). • secondary-vlan-id - ID of secondary (i.e, community) VLAN.
4 Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command.
4 VLAN Commands switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id - ID of primary VLAN. (Range: 1-4093, no leading zeroes).
4 Command Line Interface Example Console#show vlan private-vlan Primary Secondary Type -------- ----------- ---------5 primary 5 6 community Console# Interfaces -----------------------------Eth1/ 3 Eth1/ 4 Eth1/ 5 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
4 VLAN Commands protocol-vlan protocol-group This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame28 - Frame type used by this protocol. (Options: ethernet, rfc-1042, llc-other) • protocol - Protocol type.
4 Command Line Interface Command Usage When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: • If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. • If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. • If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
4 VLAN Commands show protocol-vlan protocol-group-vid This command shows the VLANs mapped to a protocol group.
4 Command Line Interface LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
LLDP Commands 4 Table 4-1 LLDP Commands Command Function Mode Page lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC 4-222 lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC 4-222 lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC 4-223 lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related VLAN information IC 4-223 ll
4 Command Line Interface lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
LLDP Commands 4 Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp medFastStartCount This command specifies the number of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Number of packets.
4 Command Line Interface Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
4 LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
4 Command Line Interface objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission. • This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to restore the default setting.
LLDP Commands 4 Command Usage • This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command (page 4-215). Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-64).
4 Command Line Interface to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature.
4 LLDP Commands lldp basic-tlv port-description This command configures an LLDP-enabled port to advertise its port description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
4 Command Line Interface lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature.
4 LLDP Commands lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-ident Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface.
4 Command Line Interface lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv pvid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see switchport native vlan on page 4-199).
4 LLDP Commands lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise its link aggregation capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv link-agg Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
4 Command Line Interface lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv max-frame Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands” on page 4-22 for information on configuring the maximum frame size for the switch.
4 LLDP Commands lldp medtlv extpoe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature.
4 Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp medtlv inventory Console(config-if)# lldp medtlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp medtlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
LLDP Commands 4 Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv med-cap Console(config-if)# lldp medtlv network-policy This command configures an LLDP-MED-enabled port to advertise its network policy configuration. Use the no form to disable this feature.
4 Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP Enable Transmit interval Hold Time Multiplier Delay Interval Reinit Delay Notification Interval LLDP Port Port -------Eth 1/1 Eth 1/2 Eth 1/3 . . .
LLDP Commands 4 show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
LLDP Commands 4 show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
4 Class of Service Commands Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
4 Command Line Interface • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port. The default priority for all ingress ports is zero.
4 Class of Service Commands Related Commands show queue bandwidth (4-238) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3). Use the no form set the CoS map to the default values. Syntax queue cos-map queue_id [cos1 ... cosn] no queue cos-map • queue_id - The ID of the priority queue. Ranges are 0 to 3, where 3 is the highest priority queue. • cos1 .. cosn - The CoS values that are mapped to the queue ID.
4 Command Line Interface Example The following example shows how to change the CoS assignments to a one-to-one mapping.
Class of Service Commands 4 Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
4 Command Line Interface Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch Table 3-5 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping GC 4-240 map ip dscp Maps IP DSCP value to a class of service IC 4-241 show map ip dscp Shows the IP DSCP map PE 4-242 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e.
Class of Service Commands 4 map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp • dscp-value - 8-bit DSCP value. (Range: 0-255) • cos-value - Class-of-Service value (Range: 0-7) Default Setting The DSCP default values are defined in the following table.
4 Command Line Interface show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-24) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
Quality of Service Commands 4 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
4 Command Line Interface Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 4-244) before creating a Policy Map (page 4-246). Otherwise, you will not be able to specify a Class Map with the class command (page 4-246) after entering Policy-Map Configuration mode. class-map This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode.
4 Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) • dscp - A DSCP value. (Range: 0-63) • ip-precedence - An IP Precedence value. (Range: 0-7) • vlan - A VLAN.
4 Command Line Interface policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Quality of Service Commands 4 Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
4 Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Quality of Service Commands 4 Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
4 Command Line Interface show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
Quality of Service Commands 4 Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
4 Command Line Interface Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
4 Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
4 Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
Multicast Filtering Commands 4 Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. Note that the timeout period is determined by the ip igmp snooping query-max-response-time (see page 4-258).
4 Command Line Interface show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4093) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options.
Multicast Filtering Commands 4 ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
4 Command Line Interface Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (4-258) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Multicast Filtering Commands 4 Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
4 Command Line Interface Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch Table 3-11 Static Multicast Routing Commands Command Mode Page ip igmp snooping vlan mrouter Adds a multicast router port Function GC 4-260 show ip igmp snooping mrouter Shows multicast router ports PE 4-261 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
Multicast Filtering Commands 4 show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic.
4 Command Line Interface Table 3-12 Multicast VLAN Registration Commands (Continued) Command Function Mode Page show mvr interface Shows information about the interfaces attached to the MVR domains PE 4-266 show mvr members Shows information about the multicast groups assigned to the MVR domains PE 4-267 mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or s
Multicast Filtering Commands 4 IGMPv1/v2 multicast report messages or IGMPv2 leave messages sent by IGMPv1/v2 hosts are supported by the current MVR standard. • IGMP snooping and MVR share a maximum number of 255 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN.
4 Command Line Interface • One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through IGMP snooping or which have been statically assigned using the group keyword. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
4 Multicast Filtering Commands response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. - Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. - Immediate leave does not apply to multicast groups which have been statically assigned to a port.
4 Command Line Interface show mvr interface This command shows information about the interfaces attached to the MVR VLAN. Syntax show mvr interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-24) • port-channel channel-id (Range: 1-8) Default Setting Displays status for all attached interfaces.
Multicast Filtering Commands 4 show mvr members This command shows information about the multicast groups assigned to the MVR VLAN. Syntax show mvr members [ip-address] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-24) • port-channel channel-id (Range: 1-8) • ip-address - IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Default Setting Displays status for all assigned multicast groups.
4 Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. You may also need to a establish a default gateway between this device and management stations that exist on another network segment.
IP Interface Commands 4 the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the configuration program. • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address.
4 Command Line Interface Command Usage • A gateway must be defined if the management station is located in a different IP segment. • An default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. Example The following example defines a default gateway for this device. Console(config)#ip default-gateway 10.1.1.
IP Interface Commands 4 show ip interface This command displays the settings of an IP interface. Command Mode Privileged Exec Example Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console# Related Commands show ip redirects (4-271) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects ip default gateway 10.1.0.
4 Command Line Interface ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address of the host. • count - Number of packets to send. (Range: 1-16) • size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists 256 ACLs (60 rules per ACL) DHCP Client Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP), Flow Control Full Duplex: IEEE 802.
A Software Specifications Multicast Filtering IGMP Snooping (Layer 2) Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or XModem out-of-band SNMP Management access via MIB database Trap management to specifie
Management Information Bases A RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 2571) SNMPv3 (RFC DRAFT 2576, 3411, 3412, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
A A-4 Software Specifications
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
B Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Glossary MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Glossary Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet.
Glossary Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. User Datagram Protocol (UDP) UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Index queue mapping 3-188, 4-237 queue mode 3-190, 4-234 traffic class weights 3-191, 4-236 (not yet updated) Numerics 802.
Index global setting 3-160, 4-190 interface configuration 3-167, 4-191 H hardware version, displaying 3-13, 4-21 HTTPS 3-58, 4-86 HTTPS, secure server 3-58, 4-86 I IEEE 802.1D 3-136, 4-171 IEEE 802.1s 4-171 IEEE 802.1w 3-136, 4-171 IEEE 802.
Index maximum allocation 3-129, 4-163 priority 3-131, 4-163 showing mainpower 3-129, 4-165 port priority configuring 3-186, 3-194, 4-234, 4-243 default ingress 3-186, 4-235 STA 3-147, 4-181 port security, configuring 3-78, 4-109 port, statistics 3-122, 4-144 ports autonegotiation 3-103, 4-137 broadcast storm threshold 3-118, 4-141 capabilities 3-103, 4-138 duplex mode 3-102, 4-136 flow control 3-103, 4-139 forced selection on combo ports 3-103, 4-140 multicast storm threshold 4-141 speed 3-102, 4-136 unknow
Index system clock, setting 3-35, 4-48 system software, downloading from server 3-21, 4-24 T TACACS+, logon authentication 3-55, 4-83 time, setting 3-35, 4-48 traffic class weights 3-191, 4-236 trap manager 2-7, 3-40, 4-66 troubleshooting B-1 trunk configuration 3-105, 4-147 LACP 3-107, 4-149 static 3-106, 4-148 U unknown unicast storm, threshold 4-141 upgrading software 3-21, 4-24 UPnP configuration 3-224 user password 3-54, 4-76, 4-77 Index-4 V VLANs 3-157–??, 4-189–4-205 adding static members 3-164,
ES4524M-PoE E012008/ST-R01 149100037400A
